esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable) #37
Description
📂 Vulnerable Library - esapi-2.3.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.3.0.0/esapi-2.3.0.0.jar
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-106848-507795 | 🟣 Critical | 9.8 | N/A | N/A | commons-io-2.6.jar | Transitive | N/A | ❌ | |
| CVE-2019-17571 | 🟣 Critical | 9.3 | Not Defined | 43.2% | log4j-1.2.17.jar | Transitive | N/A | ❌ |  Unreachable |
| CVE-2020-9493 | 🟣 Critical | 9.3 | Not Defined | < 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Unreachable |
| CVE-2022-23305 | 🟣 Critical | 9.3 | Not Defined | 14.1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |  Reachable |
| CVE-2022-23302 | 🔴 High | 8.7 | Not Defined | < 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Unreachable |
| CVE-2022-23307 | 🔴 High | 8.7 | Not Defined | < 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Unreachable |
| CVE-2023-24998 | 🔴 High | 8.7 | Not Defined | 37.7% | commons-fileupload-1.3.3.jar | Transitive | N/A | ❌ | Reachable |
| CVE-2023-26464 | 🔴 High | 8.7 | Not Defined | < 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Reachable |
| CVE-2025-48734 | 🔴 High | 8.7 | Not Defined | < 1% | commons-beanutils-1.9.4.jar | Transitive | N/A | ❌ | Reachable |
| CVE-2021-4104 | 🔴 High | 7.7 | High | 73.7% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Reachable |
| WS-2014-0034 | 🔴 High | 7.5 | N/A | N/A | commons-fileupload-1.3.3.jar | Transitive | N/A | ❌ | Reachable |
| CVE-2020-9488 | 🟠 Medium | 6.3 | Not Defined | < 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ | Reachable |
| CVE-2021-29425 | 🟠 Medium | 6.3 | Not Defined | < 1% | commons-io-2.6.jar | Transitive | N/A | ❌ | Reachable |
Details
🟣CVE-106848-507795
Vulnerable Library - commons-io-2.6.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ commons-io-2.6.jar (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-106848-507795
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2019-17571
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: Dec 20, 2019 04:01 PM
URL: CVE-2019-17571
Threat Assessment
Exploit Maturity:Not Defined
EPSS:43.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Release Date: Dec 20, 2019 04:01 PM
Fix Resolution : log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
🟣CVE-2020-9493
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: Jun 16, 2021 07:30 AM
URL: CVE-2020-9493
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: Jun 16, 2021 07:30 AM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🟣CVE-2022-23305
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.reference.DefaultValidator (Extension)
- org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)
- org.owasp.validator.html.AntiSamy (Extension)
- org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)
- org.owasp.validator.html.scan.AbstractAntiSamyScanner (Extension)
- org.owasp.validator.html.scan.ASHTMLSerializer (Extension)
- org.slf4j.LoggerFactory (Extension)
- org.slf4j.impl.StaticLoggerBinder (Extension)
- org.slf4j.impl.Reload4jLoggerFactory (Extension)
- org.apache.log4j.LogManager (Extension)
- org.apache.log4j.helpers.OptionConverter (Extension)
- org.apache.log4j.PropertyConfigurator (Extension)
-> ❌ org.apache.log4j.jdbc.JDBCAppender (Vulnerable Component)
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23305
Threat Assessment
Exploit Maturity:Not Defined
EPSS:14.1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.2
🔴CVE-2022-23302
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23302
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2022-23307
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23307
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: qos-ch/reload4j#21
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2023-24998
Vulnerable Library - commons-fileupload-1.3.3.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ commons-fileupload-1.3.3.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
- org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: Feb 20, 2023 03:57 PM
URL: CVE-2023-24998
Threat Assessment
Exploit Maturity:Not Defined
EPSS:37.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfrx-6qgj-fp6c
Release Date: Feb 20, 2023 03:57 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71
🔴CVE-2023-26464
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.Validator (Extension)
- org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)
- org.owasp.validator.html.AntiSamy (Extension)
- org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)
- org.owasp.validator.css.CssScanner (Extension)
- org.apache.hc.client5.http.impl.classic.HttpClientBuilder (Extension)
- org.apache.hc.client5.http.impl.classic.ProtocolExec (Extension)
- org.slf4j.LoggerFactory (Extension)
- org.slf4j.impl.StaticLoggerBinder (Extension)
- org.slf4j.impl.Reload4jLoggerFactory (Extension)
- org.apache.log4j.LogManager (Extension)
- org.apache.log4j.spi.NOPLoggerRepository (Extension)
- org.apache.log4j.spi.NOPLogger (Extension)
- org.apache.log4j.net.JMSAppender (Extension)
- org.apache.log4j.EnhancedPatternLayout (Extension)
- org.apache.log4j.pattern.BridgePatternConverter (Extension)
- org.apache.log4j.pattern.PatternParser (Extension)
-> ❌ org.apache.log4j.pattern.NDCPatternConverter (Vulnerable Component)
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 10, 2023 01:38 PM
URL: CVE-2023-26464
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: Mar 10, 2023 01:38 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.0
🔴CVE-2025-48734
Vulnerable Library - commons-beanutils-1.9.4.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ commons-beanutils-1.9.4.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController (Extension)
- org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoader (Extension)
- org.apache.commons.configuration.XMLConfiguration (Extension)
- org.apache.commons.configuration.HierarchicalConfiguration$Node (Extension)
- org.apache.commons.configuration.MultiFileHierarchicalConfiguration (Extension)
- org.apache.commons.beanutils.BeanUtils (Extension)
- org.apache.commons.beanutils.BeanUtilsBean (Extension)
-> ❌ org.apache.commons.beanutils.LazyDynaClass (Vulnerable Component)
Vulnerability Details
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Publish Date: May 28, 2025 01:32 PM
URL: CVE-2025-48734
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxr5-93ph-8wr9
Release Date: May 28, 2025 01:32 PM
Fix Resolution : https://github.com/apache/commons-beanutils.git - commons-beanutils-2.0.0-M2-RC1,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-2.0.0-M2,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-1.11.0,org.apache.commons:commons-beanutils2:2.0.0-M2,commons-beanutils:commons-beanutils:1.11.0
🔴CVE-2021-4104
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.logging.log4j.Log4JLogger (Extension)
- org.apache.log4j.Logger (Extension)
-> ❌ org.apache.log4j.net.JMSAppender (Vulnerable Component)
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Dec 14, 2021 12:00 AM
URL: CVE-2021-4104
Threat Assessment
Exploit Maturity:High
EPSS:73.7%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: Dec 14, 2021 12:00 AM
Fix Resolution : uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
🔴WS-2014-0034
Vulnerable Library - commons-fileupload-1.3.3.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ commons-fileupload-1.3.3.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
- org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: Feb 17, 2014 12:13 AM
URL: WS-2014-0034
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: Feb 17, 2014 12:13 AM
Fix Resolution : commons-fileupload:commons-fileupload:1.4
🟠CVE-2020-9488
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.logging.log4j.Log4JLogger (Extension)
- org.apache.log4j.Logger (Extension)
-> ❌ org.apache.log4j.net.SMTPAppender (Vulnerable Component)
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: Apr 27, 2020 03:36 PM
URL: CVE-2020-9488
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vwqq-5vrc-xw9h
Release Date: Apr 27, 2020 03:36 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.3.2,org.apache.logging.log4j:log4j-core:2.12.3,org.apache.logging.log4j:log4j-core:2.13.2,org.apache.logging.log4j:log4j:2.3.2,org.apache.logging.log4j:log4j:2.12.3,org.apache.logging.log4j:log4j:2.13.2
🟠CVE-2021-29425
Vulnerable Library - commons-io-2.6.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
- esapi-2.3.0.0.jar (Root Library)
- ❌ commons-io-2.6.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.DatabaseHelper (Application)
- org.owasp.esapi.ESAPI (Extension)
- org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)
- org.apache.commons.fileupload.disk.DiskFileItemFactory (Extension)
- org.apache.commons.io.FileCleaningTracker (Extension)
- org.apache.commons.io.FileDeleteStrategy (Extension)
- org.apache.commons.io.FileDeleteStrategy$ForceFileDeleteStrategy (Extension)
- org.apache.commons.io.FileUtils (Extension)
-> ❌ org.apache.commons.io.FilenameUtils (Vulnerable Component)
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: Apr 13, 2021 06:50 AM
URL: CVE-2021-29425
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwrp-pvrq-jmwv
Release Date: Apr 13, 2021 06:50 AM
Fix Resolution : org.checkerframework.annotatedlib:commons-io:2.7,commons-io:commons-io:2.7