comms-router icon indicating copy to clipboard operation
comms-router copied to clipboard

Published 20 hours ago verified publisher icon Nexmo

pac4j-saml-2.3.1.jar: 28 vulnerabilities (highest severity is: 8.8)

Open mend-for-github-com[bot] opened this issue 10 months ago • 0 comments

Vulnerable Library - pac4j-saml-2.3.1.jar

Profile & Authentication Client for Java

Library home page: https://github.com/pac4j/pac4j

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-saml/2.3.1/pac4j-saml-2.3.1.jar

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (pac4j-saml version) Remediation Possible** Reachability
CVE-2020-13936 High 8.8 Not Defined 10.599999% velocity-1.7.jar Transitive N/A*
CVE-2025-41249 High 7.5 Not Defined 0.1% spring-core-4.3.7.RELEASE.jar Transitive N/A*
CVE-2024-30172 High 7.5 Not Defined 0.1% bcprov-jdk15on-1.56.jar Transitive N/A*
CVE-2024-29857 High 7.5 Not Defined 0.2% bcprov-jdk15on-1.56.jar Transitive N/A*
CVE-2022-34169 High 7.5 Not Defined 8.8% xalan-2.7.2.jar Transitive N/A*
CVE-2021-40690 High 7.5 Not Defined 0.3% xmlsec-2.0.5.jar Transitive 5.4.1
CVE-2020-7226 High 7.5 Not Defined 1.6% cryptacular-1.1.0.jar Transitive 5.0.0
CVE-2019-17359 High 7.5 Not Defined 7.6% bcprov-jdk15on-1.56.jar Transitive 5.0.0
CVE-2018-15756 High 7.5 Not Defined 13.400001% spring-core-4.3.7.RELEASE.jar Transitive N/A*
CVE-2018-1272 High 7.5 Not Defined 1.2% spring-core-4.3.7.RELEASE.jar Transitive 3.0.0
CVE-2018-11040 High 7.5 Not Defined 8.2% spring-core-4.3.7.RELEASE.jar Transitive N/A*
CVE-2018-1000180 High 7.5 Not Defined 0.2% bcprov-jdk15on-1.56.jar Transitive 3.3.0
WS-2019-0379 Medium 6.5 Not Defined commons-codec-1.10.jar Transitive N/A*
CVE-2023-44483 Medium 6.5 Not Defined 0.1% xmlsec-2.0.5.jar Transitive N/A*
CVE-2024-30171 Medium 5.9 Not Defined 0.1% bcprov-jdk15on-1.56.jar Transitive N/A*
CVE-2020-15522 Medium 5.9 Not Defined 0.4% bcprov-jdk15on-1.56.jar Transitive 5.4.1
CVE-2023-33202 Medium 5.5 Not Defined 0.1% bcprov-jdk15on-1.56.jar Transitive N/A*
CVE-2019-12400 Medium 5.5 Not Defined 0.6% xmlsec-2.0.5.jar Transitive 5.0.0
WS-2017-3734 Medium 5.3 Not Defined httpclient-4.3.6.jar Transitive 5.0.0
CVE-2025-48924 Medium 5.3 Not Defined 0.1% commons-lang-2.4.jar Transitive N/A*
CVE-2023-33201 Medium 5.3 Not Defined 0.3% bcprov-jdk15on-1.56.jar Transitive N/A*
CVE-2022-22970 Medium 5.3 Not Defined 0.2% spring-core-4.3.7.RELEASE.jar Transitive 5.4.1
CVE-2020-26939 Medium 5.3 Not Defined 2.6000001% bcprov-jdk15on-1.56.jar Transitive 5.0.0
CVE-2020-13956 Medium 5.3 Not Defined 0.5% httpclient-4.3.6.jar Transitive 5.4.1
CVE-2018-1199 Medium 5.3 Not Defined 1.5% spring-core-4.3.7.RELEASE.jar Transitive 3.0.0
CVE-2019-10755 Medium 4.9 Not Defined 0.3% pac4j-saml-2.3.1.jar Direct Replace or update the following files: CommonHelper.java, SAML2Utils.java, CommonHelperTests.java
CVE-2021-22096 Medium 4.3 Not Defined 0.2% spring-core-4.3.7.RELEASE.jar Transitive 5.4.1
CVE-2021-22060 Medium 4.3 Not Defined 0.2% spring-core-4.3.7.RELEASE.jar Transitive 5.4.1

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-13936

Vulnerable Library - velocity-1.7.jar

Apache Velocity is a general purpose template engine.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-impl-3.3.0.jar
      • :x: velocity-1.7.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Publish Date: 2021-03-10

URL: CVE-2020-13936

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 10.599999%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-10

Fix Resolution: org.apache.velocity:velocity-engine-core:2.3

CVE-2025-41249

Vulnerable Library - spring-core-4.3.7.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • :x: spring-core-4.3.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution: org.springframework:spring-core:6.2.11

CVE-2024-30172

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2024-29857

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-09

URL: CVE-2024-29857

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2022-34169

Vulnerable Library - xalan-2.7.2.jar

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Library home page: http://xml.apache.org/xalan-j/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.2/xalan-2.7.2.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • :x: xalan-2.7.2.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Publish Date: 2022-07-19

URL: CVE-2022-34169

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.8%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9339-86wc-4qgf

Release Date: 2022-07-19

Fix Resolution: xalan:xalan:2.7.3

CVE-2021-40690

Vulnerable Library - xmlsec-2.0.5.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.0.5/xmlsec-2.0.5.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: xmlsec-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Publish Date: 2021-09-19

URL: CVE-2021-40690

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution (org.apache.santuario:xmlsec): 2.1.7

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.4.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-7226

Vulnerable Library - cryptacular-1.1.0.jar

The spectacular complement to the Bouncy Castle crypto API for Java.

Library home page: http://www.cryptacular.org

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cryptacular/cryptacular/1.1.0/cryptacular-1.1.0.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: cryptacular-1.1.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

Publish Date: 2020-01-24

URL: CVE-2020-7226

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.6%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7226

Release Date: 2020-01-24

Fix Resolution (org.cryptacular:cryptacular): 1.1.4

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-17359

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 7.6%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution (org.bouncycastle:bcprov-jdk15on): 1.64

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2018-15756

Vulnerable Library - spring-core-4.3.7.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • :x: spring-core-4.3.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 13.400001%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

CVE-2018-1272

Vulnerable Library - spring-core-4.3.7.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • :x: spring-core-4.3.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: 2018-04-06

Fix Resolution (org.springframework:spring-core): 4.3.15.RELEASE

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2018-11040

Vulnerable Library - spring-core-4.3.7.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • :x: spring-core-4.3.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Publish Date: 2018-06-25

URL: CVE-2018-11040

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040

Release Date: 2018-06-25

Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-webmvc:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-websocket:5.0.7.RELEASE,4.3.18.RELEASE

CVE-2018-1000180

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution (org.bouncycastle:bcprov-jdk15on): 1.57

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 3.3.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0379

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-core-3.3.0.jar
      • java-support-7.3.0.jar
        • :x: commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

CVE-2023-44483

Vulnerable Library - xmlsec-2.0.5.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.0.5/xmlsec-2.0.5.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: xmlsec-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

Publish Date: 2023-10-20

URL: CVE-2023-44483

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44483

Release Date: 2023-10-20

Fix Resolution: org.apache.santuario:xmlsec:2.2.6,2.3.4,3.0.3

CVE-2024-30171

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Publish Date: 2024-05-09

URL: CVE-2024-30171

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-v435-xc8x-wvr9

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2020-15522

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution (org.bouncycastle:bcprov-jdk15on): 1.66

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.4.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-33202

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Publish Date: 2023-11-23

URL: CVE-2023-33202

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wjxj-5m7g-mg7q

Release Date: 2023-11-23

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73

CVE-2019-12400

Vulnerable Library - xmlsec-2.0.5.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.0.5/xmlsec-2.0.5.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: xmlsec-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Publish Date: 2019-08-23

URL: CVE-2019-12400

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2

Release Date: 2019-08-23

Fix Resolution (org.apache.santuario:xmlsec): 2.1.4

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2017-3734

Vulnerable Library - httpclient-4.3.6.jar

HttpComponents Client

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • opensaml-messaging-api-3.3.0.jar
            • :x: httpclient-4.3.6.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Affected versions of the package are vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server

Publish Date: 2017-01-21

URL: WS-2017-3734

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2017-01-21

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (org.pac4j:pac4j-saml): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2025-48924

Vulnerable Library - commons-lang-2.4.jar

Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

Library home page: http://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.4/commons-lang-2.4.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-impl-3.3.0.jar
      • velocity-1.7.jar
        • :x: commons-lang-2.4.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-11

URL: CVE-2025-48924

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-07-11

Fix Resolution: org.apache.commons:commons-lang3:3.18.0

CVE-2023-33201

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.56/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • pac4j-saml-2.3.1.jar (Root Library)
    • opensaml-saml-api-3.3.0.jar
      • opensaml-xmlsec-api-3.3.0.jar
        • opensaml-security-api-3.3.0.jar
          • :x: bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Jan 22 '25 18:01 mend-for-github-com[bot]