Vulnerabilities

 6 via 80 paths

Dependencies

 27

Source

 GitHub

Commit

 695961c4

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 6
  • 5
Severity
  • 1
  • 1
  • 9
Status
  • 11
  • 0
  • 0

critical severity

Shell Command Injection

  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: org.apache.maven:maven-artifact@3.0.5, org.apache.maven:maven-model@3.0.5 and others

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-artifact@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-model@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.1.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.1.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.1.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.2.1.

Overview

Codehaus Plexus is a collection of components used by Apache Maven.

Affected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.

Remediation

Upgrade Codehaus Plexus to version 3.0.16 or higher.

References

Shell Command Injection vulnerability report

high severity

Resources Downloaded over Insecure Protocol

  • Vulnerable module: org.apache.maven:maven-core
  • Introduced through: org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5
    Remediation: Upgrade to org.apache.maven:maven-core@3.8.1.

Overview

Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls.

If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. For more information about repository management, visit this page.

Remediation

Upgrade org.apache.maven:maven-core to version 3.8.1 or higher.

References

Resources Downloaded over Insecure Protocol vulnerability report

medium severity

LDAP Injection

  • Vulnerable module: org.apache.derby:derby
  • Introduced through: org.apache.derby:derby@10.10.1.1 and org.apache.derby:derbynet@10.10.1.1

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.derby:derby@10.10.1.1
    Remediation: Upgrade to org.apache.derby:derby@10.17.1.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.derby:derbynet@10.10.1.1 org.apache.derby:derby@10.10.1.1
    Remediation: Upgrade to org.apache.derby:derbynet@10.17.1.0.

Overview

org.apache.derby:derby is a database engine by Apache.

Affected versions of this package are vulnerable to LDAP Injection due to improper LDAP authentication checks. An attacker can fill up the disk by creating junk databases and execute malware visible to and executable by the account which booted the server. Additionally, if the databases aren't also protected by SQL GRANT/REVOKE authorization, the attacker can view and corrupt sensitive data, and run sensitive database functions and procedures.

Remediation

Upgrade org.apache.derby:derby to version 10.17.1.0 or higher.

References

LDAP Injection vulnerability report

medium severity

Security Bypass

  • Vulnerable module: org.apache.derby:derby
  • Introduced through: org.apache.derby:derby@10.10.1.1 and org.apache.derby:derbynet@10.10.1.1

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.derby:derby@10.10.1.1
    Remediation: Upgrade to org.apache.derby:derby@10.14.2.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.derby:derbynet@10.10.1.1 org.apache.derby:derby@10.10.1.1
    Remediation: Upgrade to org.apache.derby:derbynet@10.14.2.0.

Overview

org.apache.derby:derby is a subproject of the Apache DB project.

Affected versions of this package are vulnerable to Security Bypass. A specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control.

Remediation

Upgrade org.apache.derby:derby to version 10.14.2.0 or higher.

References

Security Bypass vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: org.apache.maven:maven-artifact@3.0.5, org.apache.maven:maven-model@3.0.5 and others

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-artifact@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-model@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6

Overview

An attacker could access arbitrary files and directories stored on the file system by manipulating files with dot-dot-slash (../) sequences and their variations or by using absolute file paths.

Note:

There is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.

References

Directory Traversal vulnerability report

medium severity

XML External Entity (XXE) Injection

  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: org.apache.maven:maven-artifact@3.0.5, org.apache.maven:maven-model@3.0.5 and others

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-artifact@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-model@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-plugin-api@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-artifact@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-repository-metadata@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.apache.maven:maven-settings@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6
    Remediation: Upgrade to org.apache.maven:maven-core@3.5.0.
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-settings-builder@3.0.5 org.sonatype.plexus:plexus-sec-dispatcher@1.3 org.codehaus.plexus:plexus-utils@2.0.6
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.apache.maven:maven-model-builder@3.0.5 org.apache.maven:maven-model@3.0.5 org.codehaus.plexus:plexus-utils@2.0.6

Overview

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

Remediation

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

References

XML External Entity (XXE) Injection vulnerability report

medium severity

EPL-1.0 license

  • Module: org.sonatype.aether:aether-api
  • Introduced through: org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-util@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-spi@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-spi@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-util@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-util@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-spi@1.13.1 org.sonatype.aether:aether-api@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-util@1.13.1 org.sonatype.aether:aether-api@1.13.1

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

EPL-1.0 license

  • Module: org.sonatype.aether:aether-impl
  • Introduced through: org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

EPL-1.0 license

  • Module: org.sonatype.aether:aether-spi
  • Introduced through: org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-spi@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-spi@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-spi@1.13.1

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

EPL-1.0 license

  • Module: org.sonatype.aether:aether-util
  • Introduced through: org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-util@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-util@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-util@1.13.1
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-aether-provider@3.0.5 org.sonatype.aether:aether-impl@1.13.1 org.sonatype.aether:aether-util@1.13.1

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

EPL-1.0 license

  • Module: org.sonatype.sisu:sisu-inject-plexus
  • Introduced through: org.apache.maven:maven-plugin-api@3.0.5 and org.apache.maven:maven-core@3.0.5

Detailed paths

  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0
  • Introduced through: carlspring/derby-maven-plugin@carlspring/derby-maven-plugin#695961c4bd70645159be3f5955f465905ee67496 org.apache.maven:maven-core@3.0.5 org.apache.maven:maven-plugin-api@3.0.5 org.sonatype.sisu:sisu-inject-plexus@2.3.0

EPL-1.0 license

EPL-1.0 license vulnerability report