Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Messaging Services

net.andresbustamante:y-a-foot-messaging-services:2.0.0-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
aspectjweaver-1.9.24.jarpkg:maven/org.aspectj/aspectjweaver@1.9.24 049
freemarker-2.3.34.jarpkg:maven/org.freemarker/freemarker@2.3.34 044
jakarta.activation-api-2.1.3.jarcpe:2.3:a:eclipse:eclipse_ide:2.1.3:*:*:*:*:*:*:*pkg:maven/jakarta.activation/jakarta.activation-api@2.1.3MEDIUM3Highest50
jakarta.mail-api-2.1.3.jarcpe:2.3:a:eclipse:eclipse_ide:2.1.3:*:*:*:*:*:*:*pkg:maven/jakarta.mail/jakarta.mail-api@2.1.3MEDIUM3Highest41
logback-core-1.5.18.jarcpe:2.3:a:qos:logback:1.5.18:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.5.18 0Highest41
micrometer-commons-1.13.13.jarpkg:maven/io.micrometer/micrometer-commons@1.13.13 067
micrometer-observation-1.13.13.jarpkg:maven/io.micrometer/micrometer-observation@1.13.13 067
net.andresbustamante:y-a-foot-commons-api:2.0.0-SNAPSHOTpkg:maven/net.andresbustamante/y-a-foot-commons-api@2.0.0-SNAPSHOT 06
net.andresbustamante:y-a-foot-commons-services:2.0.0-SNAPSHOTpkg:maven/net.andresbustamante/y-a-foot-commons-services@2.0.0-SNAPSHOT 06
net.andresbustamante:y-a-foot-messaging-api:2.0.0-SNAPSHOTpkg:maven/net.andresbustamante/y-a-foot-messaging-api@2.0.0-SNAPSHOT 06
net.andresbustamante:y-a-foot-users-api:2.0.0-SNAPSHOTpkg:maven/net.andresbustamante/y-a-foot-users-api@2.0.0-SNAPSHOT 06
slf4j-api-2.0.17.jarpkg:maven/org.slf4j/slf4j-api@2.0.17 033
spring-core-6.1.19.jarcpe:2.3:a:pivotal_software:spring_framework:6.1.19:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:6.1.19:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:6.1.19:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-core@6.1.19 0Highest41

Dependencies

aspectjweaver-1.9.24.jar

Description:

The AspectJ weaver applies aspects to Java classes. It can be used as a Java agent in order to apply load-time
		weaving (LTW) during class-loading and also contains the AspectJ runtime classes.

License:

Eclipse Public License - v 2.0: https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.txt
File Path: /opt/tomcat/.m2/repository/org/aspectj/aspectjweaver/1.9.24/aspectjweaver-1.9.24.jar
MD5: d95bb9406a5351d45a02145777b9a241
SHA1: 9b5aeb0cea9f958b9c57fb80e62996e95a3e9379
SHA256:75e4227fb7dc5f97c3d4689cd1c2439f4db0bd18cea2fa242c4656cd93c599aa
Referenced In Project/Scope: Messaging Services:compile
aspectjweaver-1.9.24.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-commons-services@2.0.0-SNAPSHOT

Identifiers

freemarker-2.3.34.jar

Description:

    FreeMarker is a "template engine"; a generic tool to generate text output based on templates.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /opt/tomcat/.m2/repository/org/freemarker/freemarker/2.3.34/freemarker-2.3.34.jar
MD5: 1704fd3c579385ca5fd0ebcdf50df73c
SHA1: c2fa47a1c3b6dcdfca90e952e51211967a4baa54
SHA256:9a9fb91cd64199232eb1ca9766148a5d30ef8944be5fac051018f96c70c8f6a3
Referenced In Project/Scope: Messaging Services:compile
freemarker-2.3.34.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-commons-services@2.0.0-SNAPSHOT

Identifiers

jakarta.activation-api-2.1.3.jar

Description:

${project.name} ${spec.version} Specification

License:

EDL 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /opt/tomcat/.m2/repository/jakarta/activation/jakarta.activation-api/2.1.3/jakarta.activation-api-2.1.3.jar
MD5: 76e7b680375ea9f40f3ddbd702efcd25
SHA1: fa165bd70cda600368eee31555222776a46b881f
SHA256:01b176d718a169263e78290691fc479977186bcc6b333487325084d6586f4627
Referenced In Project/Scope: Messaging Services:compile
jakarta.activation-api-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/jakarta.mail/jakarta.mail-api@2.1.3

Identifiers

CVE-2023-4218  

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: MEDIUM (5.0)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2008-7271  

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2010-4647  

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

jakarta.mail-api-2.1.3.jar

Description:

${project.name} ${spec.version} Specification API

License:

EPL 2.0: http://www.eclipse.org/legal/epl-2.0
GPL2 w/ CPE: https://www.gnu.org/software/classpath/license.html
EDL 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /opt/tomcat/.m2/repository/jakarta/mail/jakarta.mail-api/2.1.3/jakarta.mail-api-2.1.3.jar
MD5: 288a687deb06b87602ce14cd03dddff4
SHA1: a327aa5f514ba86e80d54584417d7376ed2bde0e
SHA256:8051b58d75f982f9a5b963b3765426e824b2a64865ef0af17205e455b98db05c
Referenced In Project/Scope: Messaging Services:compile
jakarta.mail-api-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

CVE-2023-4218  

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: MEDIUM (5.0)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2008-7271  

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2010-4647  

Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

logback-core-1.5.18.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /opt/tomcat/.m2/repository/ch/qos/logback/logback-core/1.5.18/logback-core-1.5.18.jar
MD5: 10bcea83842beead15f072799b9c923d
SHA1: 6c0375624f6f36b4e089e2488ba21334a11ef13f
SHA256:85139e7b57b464f8e5e36326dd81317648bed199ccc4f98cd42585f8d7571027
Referenced In Project/Scope: Messaging Services:compile
logback-core-1.5.18.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-commons-services@2.0.0-SNAPSHOT

Identifiers

micrometer-commons-1.13.13.jar

Description:

Module containing common code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /opt/tomcat/.m2/repository/io/micrometer/micrometer-commons/1.13.13/micrometer-commons-1.13.13.jar
MD5: 3a91c7465b7ee9c005e26c3481a636b2
SHA1: 9fa147a70b0fbc237bd0ce9ec2a2fa9b33bc7bd7
SHA256:8613395fb4914819610d0b24ccf7345b30ee40e7bc08699cfcfb746bb2cb881d
Referenced In Project/Scope: Messaging Services:compile
micrometer-commons-1.13.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework/spring-context@6.1.19

Identifiers

micrometer-observation-1.13.13.jar

Description:

Module containing Observation related code

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /opt/tomcat/.m2/repository/io/micrometer/micrometer-observation/1.13.13/micrometer-observation-1.13.13.jar
MD5: 5511e8e9460c294024a0789dbb015948
SHA1: 8f5dcc8e44120ac65f53cf79581ca8894c560c5b
SHA256:35b40b485eb0514ff57fa15cbcd3c0cc850a1c72421cb7090e97e8e191167b99
Referenced In Project/Scope: Messaging Services:compile
micrometer-observation-1.13.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework/spring-context@6.1.19

Identifiers

net.andresbustamante:y-a-foot-commons-api:2.0.0-SNAPSHOT

Description:

Shared API classes and interfaces

File Path: /opt/tomcat/.jenkins/workspace/y-a-foot_y-a-foot_build_develop/y-a-foot-commons-api/pom.xml

Referenced In Project/Scope: Messaging Services
net.andresbustamante:y-a-foot-commons-api:2.0.0-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

net.andresbustamante:y-a-foot-commons-services:2.0.0-SNAPSHOT

Description:

Shared classes and interfaces for the services layer

File Path: /opt/tomcat/.jenkins/workspace/y-a-foot_y-a-foot_build_develop/y-a-foot-commons-services/pom.xml

Referenced In Project/Scope: Messaging Services
net.andresbustamante:y-a-foot-commons-services:2.0.0-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

net.andresbustamante:y-a-foot-messaging-api:2.0.0-SNAPSHOT

Description:

Messaging API classes and interfaces

File Path: /opt/tomcat/.jenkins/workspace/y-a-foot_y-a-foot_build_develop/y-a-foot-messaging-api/pom.xml

Referenced In Project/Scope: Messaging Services
net.andresbustamante:y-a-foot-messaging-api:2.0.0-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

net.andresbustamante:y-a-foot-users-api:2.0.0-SNAPSHOT

Description:

Users API classes and interfaces

File Path: /opt/tomcat/.jenkins/workspace/y-a-foot_y-a-foot_build_develop/y-a-foot-users-api/pom.xml

Referenced In Project/Scope: Messaging Services
net.andresbustamante:y-a-foot-users-api:2.0.0-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

slf4j-api-2.0.17.jar

Description:

The slf4j API

License:

https://opensource.org/license/mit
File Path: /opt/tomcat/.m2/repository/org/slf4j/slf4j-api/2.0.17/slf4j-api-2.0.17.jar
MD5: b6480d114a23683498ac3f746f959d2f
SHA1: d9e58ac9c7779ba3bf8142aff6c830617a7fe60f
SHA256:7b751d952061954d5abfed7181c1f645d336091b679891591d63329c622eb832
Referenced In Project/Scope: Messaging Services:compile
slf4j-api-2.0.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-messaging-services@2.0.0-SNAPSHOT

Identifiers

spring-core-6.1.19.jar

Description:

Spring Core

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /opt/tomcat/.m2/repository/org/springframework/spring-core/6.1.19/spring-core-6.1.19.jar
MD5: c7b7de19a43581b1f22d87fbfa192cd5
SHA1: 85718bafdeda6c6b4b0782afda2002299c3f918a
SHA256:a46e9b693d6be2cce3bc3f2b6ed144c4a7198dcc5c355ca3c63b383d8e911800
Referenced In Project/Scope: Messaging Services:compile
spring-core-6.1.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/net.andresbustamante/y-a-foot-commons-test@2.0.0-SNAPSHOT

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.