Vulnerabilities	6 via 7 paths
Dependencies	36
Source	GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
6
License issues
1

Severity

Critical
High
4
Medium
2
Low
1

Status

Open
7
Patched
0
Ignored
0

high severity

Uncontrolled Recursion

Vulnerable module: org.apache.commons:commons-lang3
Introduced through: org.apache.velocity:velocity-engine-core@2.4.1

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.velocity:velocity-engine-core@2.4.1 › org.apache.commons:commons-lang3@3.17.0

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

new

Improper Encoding or Escaping of Output

Vulnerable module: org.apache.logging.log4j:log4j-core
Introduced through: org.apache.logging.log4j:log4j-core@3.0.0-beta3

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.logging.log4j:log4j-core@3.0.0-beta3

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout plugin. An attacker can cause log events to be silently lost or malformed by injecting XML 1.0 forbidden characters into log messages or MDC values. This may result in malformed XML output, which can cause downstream log-processing systems to drop affected records or prevent log events from being delivered to their intended destinations.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Encoding or Escaping of Output vulnerability report

high severity

new

Improper Encoding or Escaping of Output

Vulnerable module: org.apache.logging.log4j:log4j-core
Introduced through: org.apache.logging.log4j:log4j-core@3.0.0-beta3

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.logging.log4j:log4j-core@3.0.0-beta3

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop or fail to index affected records by introducing XML 1.0 forbidden characters into log messages, resulting in malformed XML output that conforming XML parsers reject with a fatal error.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Encoding or Escaping of Output vulnerability report

high severity

new

Improper Output Neutralization for Logs

Vulnerable module: org.apache.logging.log4j:log4j-core
Introduced through: org.apache.logging.log4j:log4j-core@3.0.0-beta3

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.logging.log4j:log4j-core@3.0.0-beta3

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading to improper handling of newline escaping for TCP framing and incorrect message formatting for TLS framing. An attacker can inject arbitrary log entries by supplying crafted CRLF sequences in log messages, potentially manipulating log output or bypassing log-based security controls.

Note:

This is only exploitable if the Rfc5424Layout is configured directly with affected attributes in stream-based syslog services.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Output Neutralization for Logs vulnerability report

medium severity

new

Improper Validation of Certificate with Host Mismatch

Vulnerable module: org.apache.logging.log4j:log4j-core
Introduced through: org.apache.logging.log4j:log4j-core@3.0.0-beta3

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.logging.log4j:log4j-core@3.0.0-beta3

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the verifyHostName attribute of the <Ssl> element. An attacker can intercept and manipulate network traffic by presenting a certificate issued by a trusted certificate authority to the appender's configured trust store, or the default Java trust store if none is configured. This is only exploitable if an SMTP, Socket, or Syslog appender is in use and TLS is configured via a nested element.

Note:

This issue is due to incomplete fix for CVE-2025-68161.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

new

EPL-1.0 license

Module: junit:junit
Introduced through: org.apache.tamaya:tamaya-core@0.4-incubating

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.tamaya:tamaya-core@0.4-incubating › junit:junit@4.12
Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.tamaya:tamaya-core@0.4-incubating › org.apache.tamaya:tamaya-spisupport@0.4-incubating › junit:junit@4.12

EPL-1.0 license

EPL-1.0 license vulnerability report

low severity

Information Exposure

Vulnerable module: junit:junit
Introduced through: org.apache.tamaya:tamaya-core@0.4-incubating

Detailed paths

Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.tamaya:tamaya-core@0.4-incubating › junit:junit@4.12
Introduced through: ottlinger/mailclena@ottlinger/mailclena › org.apache.tamaya:tamaya-core@0.4-incubating › org.apache.tamaya:tamaya-spisupport@0.4-incubating › junit:junit@4.12

Overview

junit:junit is an unit testing framework for Java

Affected versions of this package are vulnerable to Information Exposure. The JUnit4 test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

Note: This vulnerability does not allow other users to overwrite the contents of these directories or files. This only affects Unix like systems.

Remediation

Upgrade junit:junit to version 4.13.1 or higher.

References

Information Exposure vulnerability report

Vulnerabilities

Dependencies

Source

Find, fix and prevent vulnerabilities in your code.

high severity

Uncontrolled Recursion

Detailed paths

Overview

Remediation

References

high severity new

Improper Encoding or Escaping of Output

Detailed paths

Overview

Remediation

References

high severity new

Improper Encoding or Escaping of Output

Detailed paths

Overview

Remediation

References

high severity new

Improper Output Neutralization for Logs

Detailed paths

Overview

Remediation

References

medium severity new

Improper Validation of Certificate with Host Mismatch

Detailed paths

Overview

Remediation

References

medium severity new

EPL-1.0 license

Detailed paths

low severity

Information Exposure

Detailed paths

Overview

Remediation

References

high severity

new

high severity

new

high severity

new

medium severity

new

medium severity

new