El Alto VFC Security/Vulnerability Report
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-gvnfm-vnflcm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnflcm | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | The Django version has been upgraded to 2.1.0 |
vfc-gvnfm-vnflcm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnflcm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnflcm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnflcm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-gvnfm-vnfmgr | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfmgr | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | The Django version has been upgraded to 2.1.0 |
vfc-gvnfm-vnfmgr | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfmgr | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfmgr | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfmgr | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-gvnfm-vnfres | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfres | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-gvnfm-vnfresmgr | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | The Django version has been upgraded to 2.1.0 |
vfc-gvnfm-vnfres | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfres | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfres | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-gvnfm-vnfres | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-catalog | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Plan to update the no vulnerability version in F version |
vfc-nfvo-catalog | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | The Django version has been upgraded to 2.1.0 |
vfc-nfvo-catalog | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-nfvo-catalog | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
vfc-nfvo-catalog | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | The version of djangorestframework should be upgraded to higher . |
vfc-nfvo-catalog | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | The version of djangorestframework should be upgraded to higher . |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | CVE-2018-14721 | Ineffective | Yes | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. jackson-databind is vulnerable to Server-Side Request Forgery (SSRF) via Deserialization of Untrusted Data. The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in the execution of SSRF attacks if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to update the no vulnerability version in F version |
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | CVE-2018-14718 | Ineffective | Yes | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. | Plan to update the no vulnerability version in F version |
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | CVE-2018-14719 | Ineffective | Yes | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to update the no vulnerability version in F version |
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | CVE-2018-14720 | Ineffective | Yes | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. jackson-databind is vulnerable to XML eXternal Entity (XXE) attacks via Deserialization of Untrusted Data. The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in the execution of XXE attacks if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to update the no vulnerability version in F version |
vfc-nfvo-driver-ems | com.fasterxml.jackson.core | N/A | Ineffective | Yes |
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | Plan to update the no vulnerability version in F version |
vfc-nfvo-driver-ems | io.netty | CVE-2019-16869 | effective | Yes | Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. | This issue has undergone the Sonatype Fast-Track process. |
vfc-nfvo-driver-ems | io.netty | CVE-2019-9518 | Ineffective | Yes | Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. | VFC-1550 |
vfc-nfvo-driver-ems | org.mozilla | N/A | Ineffective | Yes | The rhino package is vulnerable to XML eXternal Entity Reference (XXE) attacks. The toXml method in XmlProcessor.class does not properly enforce any protections against external entities when parsing XML. An attacker can exploit this vulnerability by using crafted XML data which when evaluated by the package, causes XXE attacks. | Investigating alternative components or a potential mitigating control. |
vfc-nfvo-driver-ems | org.quartz-scheduler | CVE-2019-13990 | Ineffective | Yes | initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | There is no non vulnerable version of this component. Do not use the default typing. |
vfc-nfvo-driver-ems | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | javax.mail | N/A | Ineffective | Yes | JavaMail is vulnerable to Information Exposure. The getUniqueMessageIDValue() method in the UniqueValue class file appends the username and the hostname of the Java process when generating the Message-Id for an email. This can lead to unintended information leakage in the email headers and potentially lead to security issues. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | org.eclipse.jetty | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | org.eclipse.jetty | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-ems | org.exist-db.thirdparty.xerces | N/A | Ineffective | Yes | Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in the expandedSystemId object, and used to instantiate a URLConnection . Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in a CLOSE_WAIT status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource. | There is no non vulnerable version of this component/package. Investigating alternative components or a potential mitigating control. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-driver-svnfm-huawei | apache-httpclient | N/A | Ineffective | Yes | The Apache HttpComponents project is vulnerable to a Denial of Service (DoS). The HttpParser class' readRawLine method performs unbound reads on HTTP POST data. If a new line character
is not encountered, memory consumption is not limited, leading to a Denial of Service. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-huawei | apache-httpclient | CVE-2012-5783 | Ineffective | Yes | Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. The commons-httpclient package is vulnerable to Improper Certificate Validation. The createSocket() function in the SSLProtocolSocketFactory.class file does not verify the server hostname against the subject's commonName field of an X.509 certificate when establishing a connection to the server. A Man-in-the-Middle (MitM) can exploit this behavior to intercept requests and impersonate legitimate hosts. The Commons HttpClient project is now the end of life and is no longer being developed. It has been replaced by the Apache HttpComponents project in its HttpClient [org.apache.httpcomponents:httpclient] and HttpCore modules, which offer better performance and more flexibility. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-huawei | apache-httpclient | CVE-2012-6153 | Ineffective | Yes | http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. An incomplete fix for CVE-2012-5783 causes HttpClient to still be vulnerable to a man-in-the-middle attack. The verification of the SSL certificate, used to indicate trustworthiness, by HttpClient does not check that the common name given in the certificate is in the common name field. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-huawei | commons-beanutils | CVE-2014-0114 | Ineffective | Yes | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control. commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default. | Filtering the class property name by using either: 1. The SUPPRESS_CLASS specialized instance of SuppressPropertiesBeanIntrospector
|
vfc-nfvo-driver-svnfm-huawei | org.codehaus.jackson | CVE-2017-7525 | Ineffective | Yes | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. | There is no non vulnerable version of this component. Do not use the default typing. |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2017-7657 | Ineffective | Yes | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. The Jetty package is vulnerable to HTTP Request Smuggling. The parseContent() and handleKnownHeaders() functions in HttpParser.class don't parse large chunk lengths properly. A remote attacker could exploit this vulnerability with an HTTP request that specified an especially large chunk size to cause an integer overflow in the vulnerable application. This vulnerability can be mitigated by disabling HTTP/1.1 support. | Upgrading to a version of this component that is not vulnerable to this specific issue. Alternatively, this vulnerability can be mitigated by disabling HTTP/1.1 support. |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2017-7658 | Ineffective | Yes | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. Eclipse Jetty Server is vulnerable to HTTP request smuggling. The handleKnownHeaders method in HttpParser.class accepts multiple content-length headers, which is contrary to the HTTP RFC specification. A remote attacker could exploit this behavior to potentially cause unexpected behaviors with Jetty, such as resulting in bypassing authorization checks in intermediaries or response smuggling. It is possible to mitigate this vulnerability by disabling support for HTTP versions lower than two. | Upgrading to a version of this component that is not vulnerable to this specific issue. Alternatively, it is possible to mitigate this vulnerability by disabling support for HTTP versions lower than two. |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2017-9735 | Ineffective | Yes | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. The Jetty package is vulnerable to a Timing Attack while comparing passwords. The public boolean check(Object credentials) function in the Password.java file compares the user supplied password using a non-constant time comparison function. A remote attacker can exploit this vulnerability to assist in determining correct passwords by measuring and tracking the time taken to validate a given input. The difference in timing allows an attacker to verify a password character by character. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2018-12536 | Ineffective | Yes | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. The jetty package is vulnerable to Information Disclosure via InvalidPathException message. The functions getContent() , lookup() , PathResource() , addPath() in several files displays the full path to the base resource directory that the DefaultServlet is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message in the HTTP response. This reveals the path to the requesting system. | Upgrading to a version of this component that is not vulnerable to this specific issue |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. This only impacts users using Eclipse Jetty on Windows. | Upgrading to a version of this component that is not vulnerable to this specific issue |
vfc-nfvo-driver-svnfm-huawei | org.eclipse.jetty.aggregate | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue |
vfc-nfvo-driver-svnfm-huawei | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue |
vfc-nfvo-driver-svnfm-huawei | org.apache.commons | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-driver-svnfm-nokiav2 | com.squareup.okhttp3 | CVE-2018-20200 | Ineffective | Yes | ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. | N /A |
vfc-nfvo-driver-svnfm-nokiav2 | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.eclipse.jetty | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.springframework.security | CVE-2019-3795 | Ineffective | Yes | Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection. The spring-security-core package has a cryptographic weakness. The getObject method in SecureRandomFactoryBean.class uses a seed to create a cryptographically sensitive value in a reversible manner. An attacker with access to the random material produced by a vulnerable application's seed can exploit this behavior to decrypt values that would not normally be accessible. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-svnfm-nokiav2 | org.springframework.security | N/A | Ineffective | Yes | The spring-security-web package is vulnerable to Cross-Site Request Forgery (CSRF). The doFilter() method in the SwitchUserFilter , which is reachable via a GET request, does not require any form of confirmation that the user sending the request intended to do so. An attacker can exploit this vulnerability by crafting a malicious application containing links to the vulnerable endpoint, HTML tags that use the vulnerable endpoint in the src attribute, or malicious JavaScript designed to send the request to the vulnerable endpoint. When a victim visits the malicious page, their browser will be made to send requests to the vulnerable endpoint, taking action as the victim without the victim's knowledge or consent. | There is no non vulnerable version of this component/package. Investigating alternative components or a potential mitigating control. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-driver-vnfm-gvnfm | commons-beanutils | CVE-2014-0114 | Ineffective | Yes | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control. commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default. | Filtering the
|
vfc-nfvo-driver-vnfm-gvnfm | commons-collections | N/A | Ineffective | Yes | The commons-collections package is vulnerable to Remote Code Execution (RCE). Due to the behavior of InvokerTransformer , a remote code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is present on the classpath. The intended behavior of InvokerTransformer is to allow for the invocation of any method on the Java classpath. The InvokerTransformer class implements Serializable and therefore can be included in a serialized object. A combination of the intended functionality of the InvokerTransformer class and its serializable nature allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing execution of remote code. A potential workaround is to remove commons-collections from the classpath or to remove the InvokerTransformer class from the common-collections jar file. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.apache.commons | CVE-2019-12402 | Ineffective | Yes | The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. Apache Commons Compress is vulnerable to a Denial of Service (DoS) attack. The encode() method in the NioZipEncoding class fails to account for underflows caused by certain characters during iteration. A remote attacker can exploit this vulnerability by submitting a malicious archive containing file names that contain characters, such as certain umlauts, that exploit this issue. This will cause the application to enter into an infinite loop, ultimately resulting in a DoS condition. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.codehaus.jackson | CVE-2017-7525 | Ineffective | Yes | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2017-7657 | Ineffective | Yes | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. The Jetty package is vulnerable to HTTP Request Smuggling. The parseContent() and handleKnownHeaders() functions in HttpParser.class don't parse large chunk lengths properly. A remote attacker could exploit this vulnerability with an HTTP request that specified an especially large chunk size to cause an integer overflow in the vulnerable application. This vulnerability can be mitigated by disabling HTTP/1.1 support. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2017-7658 | Ineffective | Yes | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. Eclipse Jetty Server is vulnerable to HTTP request smuggling. The handleKnownHeaders method in HttpParser.class accepts multiple content-length headers, which is contrary to the HTTP RFC specification. A remote attacker could exploit this behavior to potentially cause unexpected behaviors with Jetty, such as resulting in bypassing authorization checks in intermediaries or response smuggling. It is possible to mitigate this vulnerability by disabling support for HTTP versions lower than two. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2017-9735 | Ineffective | Yes | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. The Jetty package is vulnerable to a Timing Attack while comparing passwords. The public boolean check(Object credentials) function in the Password.java file compares the user supplied password using a non-constant time comparison function. A remote attacker can exploit this vulnerability to assist in determining correct passwords by measuring and tracking the time taken to validate a given input. The difference in timing allows an attacker to verify a password character by character. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2018-12536 | Ineffective | Yes | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. The jetty package is vulnerable to Information Disclosure via InvalidPathException message. The functions getContent() , lookup() , PathResource() , addPath() in several files displays the full path to the base resource directory that the DefaultServlet is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message in the HTTP response. This reveals the path to the requesting system. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. This only impacts users using Eclipse Jetty on Windows. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.eclipse.jetty.aggregate | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.springframework | CVE-2018-1270 | Ineffective | Yes | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. The Spring Framework spring-messaging module is vulnerable to Remote Code Execution (RCE). The getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class do not properly restrict SpEL expression evaluation. A remote attacker can exploit this vulnerability by crafting a request to an exposed STOMP endpoint and injecting a malicious payload into the selector header. The application would then execute the payload via a call to expression.getValue() whenever a new message is sent to the broker. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.springframework | CVE-2018-1257 | Ineffective | Yes | Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. The spring-expression module of Spring Framework is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The getValueInternal() method in the OperatorMatches class lacks a threshold at which to limit regular expression evaluation. A remote attacker can exploit this vulnerability by sending a maliciously crafted message to the STOMP broker. This will result in a DoS when the application attempts to parse the message. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.springframework | CVE-2018-1272 | Ineffective | Yes | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. The spring-core and spring-web modules of Spring Framework are vulnerable to a multipart content pollution vulnerability. The generateMultipartBoundary() method in the MimeTypeUtils class uses a predictable method of generating random values to use as boundary values for multipart requests to other servers. This means that an attacker may be able to predict the boundary values and inject them into requests at unexpected locations, causing the recipient server to incorrectly interpret the multipart request. This will result in unexpected behavior depending on the requests being processed, including privilege escalation if authorization data is sent in the multipart request. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.springframework | CVE-2018-11039 | Ineffective | Yes | Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The HiddenHttpMethodFilter class lets an attacker change the HTTP request method to TRACE . An attacker can exploit this behavior with an Cross-Site Scripting (XSS) attack by sending a TRACE request and recovering information that would not normally be accessible, such as Cookies with the HTTPOnly flag. The application is vulnerable by using this component if the application: "[Uses] the HiddenHttpMethodFilter (it is enabled by default in Spring Boot), [and] [Allows] HTTP TRACE requests to be handled by the application server. This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.” | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.apache.commons | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-gvnfm | org.springframework | CVE-2014-3578 | Ineffective | Yes | Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. Spring Framework ResourceHttpRequestHandler functionality does not properly enforce checks for directory traversal. Use of : (colon) in static resource URLs can circumvent isInvalidPath check in ResourceHttpRequestHandler. Remote attackers can exploit this flaw to access arbitrary files. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-driver-vnfm-svnfm-zte | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-lcm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14234 | Ineffective | Yes | Django - SQL Injection | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14232 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14233 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | CVE-2019-14235 | Ineffective | Yes | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | Django | N/A | Ineffective | Yes | The qunit package is vulnerable to Cross-Site Scripting (XSS). The testDone function in qunit.js shows the source of tests in HTML. An attacker is able to provide a malicious unit test could exploit this behavior to execute arbitrary JavaScript in the browser of a victim who views the results of that unit test. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | djangorestframework | N/A | Ineffective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype . An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-lcm | djangorestframework | CVE-2019-8331 | Ineffective | Yes | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The setElementContent method in the tooltip.js file accepts JavaScript within the input parameters without properly sanitizing the data in the elements that are being rendered on the webpage. This could lead to Cross-Site Scripting (XSS). | Upgrading to a version of this component that is not vulnerable to this specific issue. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-multivimproxy | commons-beanutils | CVE-2014-0114 | Ineffective | Yes | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control. commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default. | Filtering the class property name by using either: 1. The SUPPRESS_CLASS specialized instance of SuppressPropertiesBeanIntrospector
|
vfc-nfvo-multivimproxy | org.codehaus.jackson | CVE-2017-7525 | Ineffective | Yes | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. | There is no non vulnerable version of this component. Do not use the default typing. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2017-7657 | Ineffective | Yes | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. The Jetty package is vulnerable to HTTP Request Smuggling. The parseContent() and handleKnownHeaders() functions in HttpParser.class don't parse large chunk lengths properly. A remote attacker could exploit this vulnerability with an HTTP request that specified an especially large chunk size to cause an integer overflow in the vulnerable application. This vulnerability can be mitigated by disabling HTTP/1.1 support. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2017-7658 | Ineffective | Yes | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. Eclipse Jetty Server is vulnerable to HTTP request smuggling. The handleKnownHeaders method in HttpParser.class accepts multiple content-length headers, which is contrary to the HTTP RFC specification. A remote attacker could exploit this behavior to potentially cause unexpected behaviors with Jetty, such as resulting in bypassing authorization checks in intermediaries or response smuggling. It is possible to mitigate this vulnerability by disabling support for HTTP versions lower than two. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2017-9735 | Ineffective | Yes | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. The Jetty package is vulnerable to a Timing Attack while comparing passwords. The public boolean check(Object credentials) function in the Password.java file compares the user supplied password using a non-constant time comparison function. A remote attacker can exploit this vulnerability to assist in determining correct passwords by measuring and tracking the time taken to validate a given input. The difference in timing allows an attacker to verify a password character by character. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2018-12536 | Ineffective | Yes | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. The jetty package is vulnerable to Information Disclosure via InvalidPathException message. The functions getContent() , lookup() , PathResource() , addPath() in several files displays the full path to the base resource directory that the DefaultServlet is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message in the HTTP response. This reveals the path to the requesting system. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. This only impacts users using Eclipse Jetty on Windows. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.eclipse.jetty.aggregate | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-multivimproxy | org.apache.commons | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
---|---|---|---|---|---|---|
vfc-nfvo-resmanagement | commons-beanutils | CVE-2014-0114 | Ineffective | Yes | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control. commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default. | Filtering the class property name by using either: 1. The SUPPRESS_CLASS specialized instance of SuppressPropertiesBeanIntrospector
|
vfc-nfvo-resmanagement | org.codehaus.jackson | CVE-2017-7525 | Ineffective | Yes | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. | There is no non vulnerable version of this component/package. Investigating alternative components or a potential mitigating control. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2017-7657 | Ineffective | Yes | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. The Jetty package is vulnerable to HTTP Request Smuggling. The parseContent() and handleKnownHeaders() functions in HttpParser.class don't parse large chunk lengths properly. A remote attacker could exploit this vulnerability with an HTTP request that specified an especially large chunk size to cause an integer overflow in the vulnerable application. This vulnerability can be mitigated by disabling HTTP/1.1 support. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2017-7658 | Ineffective | Yes | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. Eclipse Jetty Server is vulnerable to HTTP request smuggling. The handleKnownHeaders method in HttpParser.class accepts multiple content-length headers, which is contrary to the HTTP RFC specification. A remote attacker could exploit this behavior to potentially cause unexpected behaviors with Jetty, such as resulting in bypassing authorization checks in intermediaries or response smuggling. It is possible to mitigate this vulnerability by disabling support for HTTP versions lower than two. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2017-9735 | Ineffective | Yes | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. The Jetty package is vulnerable to a Timing Attack while comparing passwords. The public boolean check(Object credentials) function in the Password.java file compares the user supplied password using a non-constant time comparison function. A remote attacker can exploit this vulnerability to assist in determining correct passwords by measuring and tracking the time taken to validate a given input. The difference in timing allows an attacker to verify a password character by character. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2018-12536 | Ineffective | Yes | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. The jetty package is vulnerable to Information Disclosure via InvalidPathException message. The functions getContent() , lookup() , PathResource() , addPath() in several files displays the full path to the base resource directory that the DefaultServlet is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message in the HTTP response. This reveals the path to the requesting system. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. This only impacts users using Eclipse Jetty on Windows. | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.eclipse.jetty.aggregate | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context . | Upgrading to a version of this component that is not vulnerable to this specific issue. |
vfc-nfvo-resmanagement | org.apache.commons | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 , Base64 , and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | Upgrading to a version of this component that is not vulnerable to this specific issue. |