Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Dependency | Vulnerability IDs | Package | Highest Severity | CVE Count | Confidence | Evidence Count |
---|---|---|---|---|---|---|
bcprov-ext-jdk18on-1.74.jar | cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.74:*:*:*:*:*:*:* | pkg:maven/org.bouncycastle/bcprov-ext-jdk18on@1.74 | HIGH | 3 | Highest | 58 |
jfreechart-1.5.3.jar | cpe:2.3:a:time_project:time:1.5.3:*:*:*:*:*:*:* | pkg:maven/org.jfree/jfreechart@1.5.3 | HIGH | 3 | Low | 41 |
spring-web-5.3.33.jar | cpe:2.3:a:pivotal_software:spring_framework:5.3.33:*:*:*:*:*:*:* cpe:2.3:a:springsource:spring_framework:5.3.33:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_framework:5.3.33:*:*:*:*:*:*:* cpe:2.3:a:web_project:web:5.3.33:*:*:*:*:*:*:* | pkg:maven/org.springframework/spring-web@5.3.33 | HIGH | 1 | Highest | 35 |
Description:
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up. Note: this package includes the NTRU encryption algorithms.
License:
Bouncy Castle Licence: https://www.bouncycastle.org/licence.htmlFile Path: /var/lib/jenkins/.m2/repository/org/bouncycastle/bcprov-ext-jdk18on/1.74/bcprov-ext-jdk18on-1.74.jar
CVE-2024-29857 (OSSINDEX)
bouncycastle - Denial of Service (DoS)CWE-400 Uncontrolled Resource Consumption
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-30171 (OSSINDEX)
bouncycastle - Observable Timing Discrepancy [ aka CVE-2024-20952 ]CWE-208 Observable Timing Discrepancy
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-30172 (OSSINDEX)
Bouncy Castle - Infinite LoopCWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Vulnerable Software & Versions (OSSINDEX):
Description:
JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D API, it supports a wide range of chart types including bar charts, pie charts, line charts, XY-plots, time series plots, Sankey charts and more.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txtFile Path: /var/lib/jenkins/.m2/repository/org/jfree/jfreechart/1.5.3/jfreechart-1.5.3.jar
CVE-2023-52070 (OSSINDEX)
JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the 'setSeriesNeedle(int index, int type)' method. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.CWE-129 Improper Validation of Array Index
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-22949 (OSSINDEX)
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.CWE-476 NULL Pointer Dereference
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-23076 (OSSINDEX)
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.CWE-476 NULL Pointer Dereference
Vulnerable Software & Versions (OSSINDEX):
Description:
Spring Web
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0File Path: /var/lib/jenkins/.m2/repository/org/springframework/spring-web/5.3.33/spring-web-5.3.33.jar
CVE-2024-22262 (OSSINDEX)
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.CWE-20 Improper Input Validation
Vulnerable Software & Versions (OSSINDEX):