Vulnerabilities

 15 via 41 paths

Dependencies

 81

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 15
  • 5
Severity
  • 1
  • 3
  • 16
Status
  • 20
  • 0
  • 0

critical severity
new

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authentication vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: com.fasterxml.jackson.core:jackson-core
  • Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.core:jackson-databind@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 com.fasterxml.jackson.core:jackson-databind@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.core:jackson-databind@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 com.fasterxml.jackson.core:jackson-databind@2.18.6 com.fasterxml.jackson.core:jackson-core@2.18.6

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.7, 2.21.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Deserialization of Untrusted Data

  • Vulnerable module: net.sf.jasperreports:jasperreports
  • Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7

Overview

net.sf.jasperreports:jasperreports is an open source reporting engine for Java.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputStream subclasses. An attacker can achieve remote code execution on the JVM host by sending a specially crafted serialized object (such as .jasper file or a subreport URL).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

There is no fixed version for net.sf.jasperreports:jasperreports.

References

Deserialization of Untrusted Data vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity
new

Exposure of Private Personal Information to an Unauthorized Actor

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21

Overview

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in WebSocket client during authentication. An attacker can obtain sensitive HTTP authentication headers by initiating a WebSocket handshake with a malicious host.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.0.1, 9.0.0.M1, 9.0.118, 10.1.55, 11.0.22 or higher.

References

Exposure of Private Personal Information to an Unauthorized Actor vulnerability report

medium severity
new

Timing Attack

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many authentication attempts directly to the connector and measuring the time taken to compare secrets.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Timing Attack vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.

Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.

Remediation

A fix was pushed into the master branch but not yet published.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.

Workaround

This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.

Remediation

A fix was pushed into the master branch but not yet published.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Observable Discrepancy

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Observable Discrepancy vulnerability report

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.

Workaround

The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity
new

Improper Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authorization vulnerability report

medium severity
new

Improper Handling of Case Sensitivity

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0-RC1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.springframework.boot:spring-boot-starter-web@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different letter casing.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Information Exposure

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data.

Note:

The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.

Remediation

A fix was pushed into the master branch but not yet published.

References

Information Exposure vulnerability report

medium severity

Dual license: LGPL-2.1, MPL-2.0

  • Module: com.github.librepdf:openpdf
  • Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 com.github.librepdf:openpdf@1.3.43.jaspersoft.1

Dual license: LGPL-2.1, MPL-2.0

Dual license: LGPL-2.1, MPL-2.0 vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: junit:junit@4.13.2 and net.sf.barcode4j:barcode4j@2.1

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot junit:junit@4.13.2
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.barcode4j:barcode4j@2.1 commons-cli:commons-cli@1.0 commons-lang:commons-lang@1.0 junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: net.sf.jasperreports:jasperreports
  • Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports@7.0.7
  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7 net.sf.jasperreports:jasperreports@7.0.7

LGPL-2.0 license

LGPL-2.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: net.sf.jasperreports:jasperreports-fonts
  • Introduced through: net.sf.jasperreports:jasperreports-fonts@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-fonts@7.0.7

LGPL-2.0 license

LGPL-2.0 license vulnerability report

medium severity

LGPL-2.0 license

  • Module: net.sf.jasperreports:jasperreports-pdf
  • Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.7

Detailed paths

  • Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot net.sf.jasperreports:jasperreports-pdf@7.0.7

LGPL-2.0 license

LGPL-2.0 license vulnerability report