Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: commons-beanutils:commons-beanutils
- Introduced through: net.sf.jasperreports:jasperreports@7.0.3 and net.sf.jasperreports:jasperreports-pdf@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports@7.0.3 › commons-beanutils:commons-beanutils@1.9.4
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-pdf@7.0.3 › net.sf.jasperreports:jasperreports@7.0.3 › commons-beanutils:commons-beanutils@1.9.4
Overview
commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection.
Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.
Note:
The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.
Remediation
Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.
References
high severity
new
- Vulnerable module: net.sf.jasperreports:jasperreports
- Introduced through: net.sf.jasperreports:jasperreports@7.0.3 and net.sf.jasperreports:jasperreports-pdf@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports@7.0.3
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-pdf@7.0.3 › net.sf.jasperreports:jasperreports@7.0.3
Overview
net.sf.jasperreports:jasperreports is an open source reporting engine for Java.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data when processing .jasper files from untrusted sources. An attacker can achieve remote execution of arbitrary code by providing a malicious JRXML report templates or their own compiled *.jasper report template.
Applications using only predefined/canned reports are not vulnerable because they do not load report templates from user input.
Additionally, to be vulnerable, the application must be running on a Java version older than 17.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
There is no fixed version for net.sf.jasperreports:jasperreports.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.
Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.
Workaround
This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.
Workaround
The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data.
Note:
The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-M1
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.springframework.boot:spring-boot-starter-web@4.1.0-M1 › org.springframework.boot:spring-boot-starter-jackson@4.1.0-M1 › org.springframework.boot:spring-boot-starter@4.1.0-M1 › org.springframework.boot:spring-boot-starter-logging@4.1.0-M1 › ch.qos.logback:logback-classic@1.5.25
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.springframework.boot:spring-boot-starter-web@4.1.0-M1 › org.springframework.boot:spring-boot-starter-tomcat@4.1.0-M1 › org.springframework.boot:spring-boot-starter@4.1.0-M1 › org.springframework.boot:spring-boot-starter-logging@4.1.0-M1 › ch.qos.logback:logback-classic@1.5.25
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-M1
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.springframework.boot:spring-boot-starter-web@4.1.0-M1 › org.springframework.boot:spring-boot-starter-jackson@4.1.0-M1 › org.springframework.boot:spring-boot-starter@4.1.0-M1 › org.springframework.boot:spring-boot-starter-logging@4.1.0-M1 › ch.qos.logback:logback-classic@1.5.25 › ch.qos.logback:logback-core@1.5.25
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › org.springframework.boot:spring-boot-starter-web@4.1.0-M1 › org.springframework.boot:spring-boot-starter-tomcat@4.1.0-M1 › org.springframework.boot:spring-boot-starter@4.1.0-M1 › org.springframework.boot:spring-boot-starter-logging@4.1.0-M1 › ch.qos.logback:logback-classic@1.5.25 › ch.qos.logback:logback-core@1.5.25
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: com.github.librepdf:openpdf
- Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-pdf@7.0.3 › com.github.librepdf:openpdf@1.3.32
Dual license: LGPL-2.1, MPL-2.0
medium severity
- Module: junit:junit
- Introduced through: junit:junit@4.13.2 and net.sf.barcode4j:barcode4j@2.1
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › junit:junit@4.13.2
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.barcode4j:barcode4j@2.1 › commons-cli:commons-cli@1.0 › commons-lang:commons-lang@1.0 › junit:junit@4.13.2
EPL-1.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports
- Introduced through: net.sf.jasperreports:jasperreports@7.0.3 and net.sf.jasperreports:jasperreports-pdf@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports@7.0.3
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-pdf@7.0.3 › net.sf.jasperreports:jasperreports@7.0.3
LGPL-2.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports-fonts
- Introduced through: net.sf.jasperreports:jasperreports-fonts@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-fonts@7.0.3
LGPL-2.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports-pdf
- Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.3
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot#ace24b0b9011a797130390e6f78872d89aeee01c › net.sf.jasperreports:jasperreports-pdf@7.0.3
LGPL-2.0 license