comms-router icon indicating copy to clipboard operation
comms-router copied to clipboard

Published 20 hours ago verified publisher icon Nexmo

buji-pac4j-3.2.0.jar: 15 vulnerabilities (highest severity is: 9.8)

Open mend-for-github-com[bot] opened this issue 10 months ago • 0 comments

Vulnerable Library - buji-pac4j-3.2.0.jar

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (buji-pac4j version) Remediation Possible** Reachability
CVE-2023-34478 Critical 9.8 High 0.0% shiro-core-1.4.0.jar Transitive 9.0.0
CVE-2023-25581 Critical 9.8 Not Defined 10.3% pac4j-core-2.2.1.jar Transitive N/A*
CVE-2022-40664 Critical 9.8 Not Defined 0.5% shiro-web-1.4.0.jar Transitive N/A*
CVE-2022-32532 Critical 9.8 Not Defined 82.1% shiro-core-1.4.0.jar Transitive 8.0.0
CVE-2021-41303 Critical 9.8 Not Defined 47.2% shiro-core-1.4.0.jar Transitive 6.1.0
CVE-2020-1957 Critical 9.8 Not Defined 86.1% shiro-web-1.4.0.jar Transitive 5.0.0
CVE-2020-17510 Critical 9.8 Not Defined 1.1% shiro-web-1.4.0.jar Transitive 6.0.0
CVE-2020-11989 Critical 9.8 Not Defined 77.8% shiro-web-1.4.0.jar Transitive 5.0.1
CVE-2025-48734 High 8.8 Not Defined 0.1% commons-beanutils-1.9.3.jar Transitive N/A*
CVE-2020-13933 High 7.5 Not Defined 69.5% shiro-core-1.4.0.jar Transitive 6.0.0
CVE-2019-12422 High 7.5 Not Defined 56.4% detected in multiple dependencies Transitive N/A*
CVE-2019-10086 High 7.3 Not Defined 0.3% commons-beanutils-1.9.3.jar Transitive 5.0.0
CVE-2014-0114 High 7.3 Not Defined 92.299995% commons-beanutils-1.9.3.jar Transitive 5.0.0
CVE-2023-46749 Medium 6.5 Not Defined 0.2% detected in multiple dependencies Transitive N/A*
CVE-2023-46750 Medium 6.1 Not Defined 0.2% shiro-web-1.4.0.jar Transitive 8.2.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-34478

Vulnerable Library - shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Publish Date: 2023-07-24

URL: CVE-2023-34478

Threat Assessment

Exploit Maturity: High

EPSS: 0.0%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-24

Fix Resolution (org.apache.shiro:shiro-core): 1.12.0

Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-25581

Vulnerable Library - pac4j-core-2.2.1.jar

Profile & Authentication Client for Java

Library home page: https://github.com/pac4j/pac4j

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: pac4j-core-2.2.1.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

pac4j is a security framework for Java. pac4j-core prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the UserProfile class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix {#sb64} and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a RestrictedObjectInputStream is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-10-10

URL: CVE-2023-25581

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 10.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

CVE-2022-40664

Vulnerable Library - shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Publish Date: 2022-10-12

URL: CVE-2022-40664

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

CVE-2022-32532

Vulnerable Library - shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Publish Date: 2022-06-28

URL: CVE-2022-32532

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 82.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4cf5-xmhp-3xj7

Release Date: 2022-06-28

Fix Resolution (org.apache.shiro:shiro-core): 1.9.1

Direct dependency fix Resolution (io.buji:buji-pac4j): 8.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-41303

Vulnerable Library - shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Publish Date: 2021-09-17

URL: CVE-2021-41303

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 47.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-f6jp-j6w3-w9hm

Release Date: 2021-09-17

Fix Resolution (org.apache.shiro:shiro-core): 1.8.0

Direct dependency fix Resolution (io.buji:buji-pac4j): 6.1.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-1957

Vulnerable Library - shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-03-25

URL: CVE-2020-1957

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 86.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://shiro.apache.org/news.html

Release Date: 2020-03-25

Fix Resolution (org.apache.shiro:shiro-web): 1.5.2

Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-17510

Vulnerable Library - shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-11-05

URL: CVE-2020-17510

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E

Release Date: 2020-11-05

Fix Resolution (org.apache.shiro:shiro-web): 1.7.0

Direct dependency fix Resolution (io.buji:buji-pac4j): 6.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-11989

Vulnerable Library - shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-06-22

URL: CVE-2020-11989

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 77.8%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/SHIRO-753

Release Date: 2020-06-22

Fix Resolution (org.apache.shiro:shiro-web): 1.5.3

Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2025-48734

Vulnerable Library - commons-beanutils-1.9.3.jar

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • shiro-core-1.4.0.jar
        • shiro-config-ogdl-1.4.0.jar
          • :x: commons-beanutils-1.9.3.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Publish Date: 2025-05-28

URL: CVE-2025-48734

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wxr5-93ph-8wr9

Release Date: 2025-05-28

Fix Resolution: commons-beanutils:commons-beanutils:1.11.0

CVE-2020-13933

Vulnerable Library - shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-08-17

URL: CVE-2020-13933

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 69.5%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2vgm-wxr3-6w2j

Release Date: 2020-08-17

Fix Resolution (org.apache.shiro:shiro-core): 1.6.0

Direct dependency fix Resolution (io.buji:buji-pac4j): 6.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-12422

Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-crypto-cipher-1.4.0.jar

shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

shiro-crypto-cipher-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-crypto-cipher/1.4.0/shiro-crypto-cipher-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • shiro-core-1.4.0.jar
        • :x: shiro-crypto-cipher-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

Publish Date: 2019-11-18

URL: CVE-2019-12422

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 56.4%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Release Date: 2019-11-06

Fix Resolution: Replace or update the following files: AesCipherService.java, AesCipherServiceTest.groovy, CookieRememberMeManagerTest.java, pom.xml, JcaCipherService.java

CVE-2019-10086

Vulnerable Library - commons-beanutils-1.9.3.jar

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • shiro-core-1.4.0.jar
        • shiro-config-ogdl-1.4.0.jar
          • :x: commons-beanutils-1.9.3.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2014-0114

Vulnerable Library - commons-beanutils-1.9.3.jar

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • shiro-core-1.4.0.jar
        • shiro-config-ogdl-1.4.0.jar
          • :x: commons-beanutils-1.9.3.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 92.299995%

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-46749

Vulnerable Libraries - shiro-core-1.4.0.jar, shiro-web-1.4.0.jar

shiro-core-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • shiro-web-1.4.0.jar
      • :x: shiro-core-1.4.0.jar (Vulnerable Library)

shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure "blockSemicolon" is enabled (this is the default).

Publish Date: 2024-01-15

URL: CVE-2023-46749

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-46749

Release Date: 2024-01-15

Fix Resolution: org.apache.shiro:shiro-all:1.13.0, org.apache.shiro:shiro-web:1.13.0

CVE-2023-46750

Vulnerable Library - shiro-web-1.4.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: https://www.apache.org/

Path to dependency file: /web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar

Dependency Hierarchy:

  • buji-pac4j-3.2.0.jar (Root Library)
    • :x: shiro-web-1.4.0.jar (Vulnerable Library)

Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190

Found in base branch: main

Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

Publish Date: 2023-12-14

URL: CVE-2023-46750

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hhw5-c326-822h

Release Date: 2023-12-14

Fix Resolution (org.apache.shiro:shiro-web): 1.13.0

Direct dependency fix Resolution (io.buji:buji-pac4j): 8.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Jan 22 '25 18:01 mend-for-github-com[bot]