Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: dependencies

org.openspcoop2:org.openspcoop2.dependencies:1.0

Scan Information:

Summary

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
bcprov-ext-jdk18on-1.74.jarcpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.74:*:*:*:*:*:*:*pkg:maven/org.bouncycastle/bcprov-ext-jdk18on@1.74HIGH3Highest58
jfreechart-1.5.3.jarcpe:2.3:a:time_project:time:1.5.3:*:*:*:*:*:*:*pkg:maven/org.jfree/jfreechart@1.5.3HIGH3Low41
spring-web-5.3.33.jarcpe:2.3:a:pivotal_software:spring_framework:5.3.33:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:5.3.33:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:5.3.33:*:*:*:*:*:*:*
cpe:2.3:a:web_project:web:5.3.33:*:*:*:*:*:*:*		pkg:maven/org.springframework/spring-web@5.3.33HIGH1Highest35

Dependencies

bcprov-ext-jdk18on-1.74.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up. Note: this package includes the NTRU encryption algorithms.

License:

Bouncy Castle Licence: https://www.bouncycastle.org/licence.html
File Path: /var/lib/jenkins/.m2/repository/org/bouncycastle/bcprov-ext-jdk18on/1.74/bcprov-ext-jdk18on-1.74.jar
MD5: 5921e4134b757c441b190d41dbb7be5e
SHA1: 628e91c99425990094d79f4b71f9f4448019a5bb
SHA256:a0e5f8d3db1adcc54f6502a4fc67e81e676ceb6f5dd94dc376a229e528d729fc
Referenced In Project/Scope: dependencies.security:compile
bcprov-ext-jdk18on-1.74.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.openspcoop2/org.openspcoop2.security@1.0

Identifiers

Published Vulnerabilities

CVE-2024-29857 (OSSINDEX)

bouncycastle - Denial of Service (DoS)
CWE-400 Uncontrolled Resource Consumption

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2024-30171 (OSSINDEX)

bouncycastle - Observable Timing Discrepancy [ aka CVE-2024-20952 ]
CWE-208 Observable Timing Discrepancy

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2024-30172 (OSSINDEX)

Bouncy Castle - Infinite Loop
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

jfreechart-1.5.3.jar

Description:

        JFreeChart is a class library, written in Java, for generating charts. 
        Utilising the Java2D API, it supports a wide range of chart types including
        bar charts, pie charts, line charts, XY-plots, time series plots, Sankey charts
        and more.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /var/lib/jenkins/.m2/repository/org/jfree/jfreechart/1.5.3/jfreechart-1.5.3.jar
MD5: b4e3884a30da4b8a36ef4e5ba03f23e2
SHA1: 26c6d7143d8a905a54c7e2296cea6ce4c5ecb417
SHA256:23bd63ece2284d6578ed51f336cd33681c53f817e4595a705690922a3c0f0f44
Referenced In Project/Scope: dependencies.reports:compile
jfreechart-1.5.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.openspcoop2/org.openspcoop2.reports@1.0

Identifiers

Published Vulnerabilities

CVE-2023-52070 (OSSINDEX)

JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-129 Improper Validation of Array Index

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2024-22949 (OSSINDEX)

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2024-23076 (OSSINDEX)

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
CWE-476 NULL Pointer Dereference

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

spring-web-5.3.33.jar

Description:

Spring Web

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /var/lib/jenkins/.m2/repository/org/springframework/spring-web/5.3.33/spring-web-5.3.33.jar
MD5: 865197571b912d8aba6ba94218e2bd6f
SHA1: dc3bd82ba847474d37eb06f1b5924a76069cb666
SHA256:6e7825e4a2234d826fd9a417947235a64950241f5d8365b5ef7fabba2b1bee1a
Referenced In Project/Scope: dependencies.spring:compile
spring-web-5.3.33.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.openspcoop2/org.openspcoop2.spring@1.0

Identifiers

Published Vulnerabilities

CVE-2024-22262 (OSSINDEX)

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a  open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as  CVE-2024-22259 https://spring.io/security/cve-2024-22259  and  CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CWE-20 Improper Input Validation

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.