Vulnerabilities |
8 via 16 paths |
|---|---|
Dependencies |
81 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: com.fasterxml.jackson.core:jackson-core
- Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.core:jackson-databind@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 › com.fasterxml.jackson.core:jackson-databind@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.core:jackson-databind@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.18.6 › com.fasterxml.jackson.core:jackson-databind@2.18.6 › com.fasterxml.jackson.core:jackson-core@2.18.6
Overview
com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.7, 2.21.2 or higher.
References
high severity
new
- Vulnerable module: net.sf.jasperreports:jasperreports
- Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7
Overview
net.sf.jasperreports:jasperreports is an open source reporting engine for Java.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ObjectInputStream subclasses. An attacker can achieve remote code execution on the JVM host by sending a specially crafted serialized object (such as .jasper file or a subreport URL).
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
There is no fixed version for net.sf.jasperreports:jasperreports.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.
Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.
Workaround
This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.
Workaround
The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk15on.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk15on
- Introduced through: org.bouncycastle:bcprov-jdk15on@1.70
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › org.bouncycastle:bcprov-jdk15on@1.70
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data.
Note:
The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Module: com.github.librepdf:openpdf
- Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › com.github.librepdf:openpdf@1.3.43.jaspersoft.1
Dual license: LGPL-2.1, MPL-2.0
medium severity
- Module: junit:junit
- Introduced through: junit:junit@4.13.2 and net.sf.barcode4j:barcode4j@2.1
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › junit:junit@4.13.2
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.barcode4j:barcode4j@2.1 › commons-cli:commons-cli@1.0 › commons-lang:commons-lang@1.0 › junit:junit@4.13.2
EPL-1.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports
- Introduced through: net.sf.jasperreports:jasperreports@7.0.7 and net.sf.jasperreports:jasperreports-pdf@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports@7.0.7
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7 › net.sf.jasperreports:jasperreports@7.0.7
LGPL-2.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports-fonts
- Introduced through: net.sf.jasperreports:jasperreports-fonts@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-fonts@7.0.7
LGPL-2.0 license
medium severity
- Module: net.sf.jasperreports:jasperreports-pdf
- Introduced through: net.sf.jasperreports:jasperreports-pdf@7.0.7
Detailed paths
-
Introduced through: arachan/JasperReportBoot@arachan/JasperReportBoot › net.sf.jasperreports:jasperreports-pdf@7.0.7
LGPL-2.0 license