El Alto oparent Security/Vulnerability Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

Repository	Group	Problem Code	Impact Analysis	Action

Repository	Group	Problem Code	Impact Analysis	Action
oparent	commons-beanutils	CVE-2014-0114	Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.	All versions of commons-beanutils have security vulnerabilities. SECCOM recommends upgrading to 1.9.4 in order to use a more current version of the package
oparent	org.apache.tomcat.embed	CVE-2019-0232	When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).	SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities.
oparent	org.apache.tomcat.embed	CVE-2019-0199	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. The Apache `tomcat-coyote` package is vulnerable to a Denial of Service (DoS) attack. The `Http2Protocol` class, the `reserveWindowSize()` method in the `Stream` class, the `process()` method in the `StreamProcessor` class, the `upgradeDispatch()`, `writeBody()`, `startRequestBodyFrame()`, `reprioritise()`, `setting()`, and `pingReceive()` methods in the `Http2UpgradeHandler` class, the `end()` method in the `Stream$StreamOutputBuffer` class, and the `doRead()` method in the `Stream$StreamInputBuffer` class fail to enforce proper timeout restrictions on open connections and allow excessive numbers of `SETTINGS` frames. Consequently, clients are able to keep connections alive without reading or writing any request or response data. If the open streams utilize the Servlet API's blocking I/O capabilities, clients can abuse this functionality to block server-side threads. A remote attacker can exploit this vulnerability by establishing never-ending connections to the affected server, or by issuing excessive numbers of `SETTINGS` frames. These connections will exhaust server-side threads and eventually result in a DoS condition. The application is vulnerable by using this component if it utilizes the Servlet API's blocking I/O functionality.	SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities.
oparent	org.apache.tomcat.embed	CVE-2019-0221	The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. The `tomcat-catalina` package is vulnerable to Cross-Site Scripting (XSS). The `process` method in `SSIPrintenv.class` prints application environment variables without sanitizing them. A remote attacker could exploit this vulnerability by sending a malicious payload as part of the HTTP request, which may be automatically set as an environment variable. This can be used to inject JavaScript in a victim's browser. The application is vulnerable by using this component with SSI enabled, which is disabled by default. The SSI component is toggled on or off in the `$CATALINA_BASE/conf/web.xml` file. For more information see https://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html	SECCOM recommends oparent upgrade to 9.0.20, 9.0.21, 9.0.22 or 9.0.24. None of these versions have security vulnerabilities.
oparent	org.codehaus.jackson	CVE-2017-7525	A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled.	All versions of jackson-mapper-asl have security vulnerabilities.
oparent	org.webjars	N/A	The `jquery` package is vulnerable to Prototype Pollution.	SECCOM recommends upgrading to 3.4.0 or higher.
oparent	commons-codec	N/A	The Apache `commons-codec` package contains an Improper Input Validation vulnerability.	SECCOM recommends upgrading to 1.13.
oparent	org.exist-db.thirdparty.xerces	N/A	Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack.	There is no newer version of the package.