{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/var/govway/batch/generatoreStatistiche/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-25b388a0", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32767: OsPackageVulnerability\u000a\u000aSiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32767**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)|\u000a\u000a## Summary\u000a\u000aSiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database.\u000a\u000aThis is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely.\u000a\u000a## Root Cause Analysis\u000a\u000a### The Vulnerable Endpoint\u000a\u000a**File:** `kernel/api/router.go`, line 188\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/search/fullTextSearchBlock\", model.CheckAuth, fullTextSearchBlock)\u000a```\u000a\u000aThis endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader).\u000a\u000a### The Properly Protected Endpoint (for comparison)\u000a\u000a**File:** `kernel/api/router.go`, line 177\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/query/sql\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)\u000a```\u000a\u000aThis endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode.\u000a\u000a### The Vulnerable Code Path\u000a\u000a**File:** `kernel/api/search.go`, lines 389-411\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=\u000a model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/search.go`, lines 1205-1206\u000a\u000a```go\u000acase 2: // SQL\u000a blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)\u000a```\u000a\u000aWhen `method=2`, the raw `query` string is passed directly to `searchBySQL()`.\u000a\u000a**File:** `kernel/model/search.go`, lines 1460-1462\u000a\u000a```go\u000afunc searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {\u000a stmt = strings.TrimSpace(stmt)\u000a blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)\u000a```\u000a\u000a**File:** `kernel/sql/block_query.go`, lines 566-569, 713-714\u000a\u000a```go\u000afunc SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {\u000a parsedStmt, err := sqlparser.Parse(stmt)\u000a if err != nil {\u000a return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution\u000a }\u000a // ...\u000a}\u000a\u000afunc selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {\u000a rows, err := query(stmt) // Executes arbitrary SQL\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/sql/database.go`, lines 1327-1337\u000a\u000a```go\u000afunc query(query string, args ...interface{}) (*sql.Rows, error) {\u000a // ...\u000a return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL\u000a}\u000a```\u000a\u000aGo's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed.\u000a\u000a### Authorization Model\u000a\u000a**File:** `kernel/model/session.go`, lines 201-210\u000a\u000a```go\u000afunc CheckAuth(c *gin.Context) {\u000a // Already authenticated via JWT\u000a if role := GetGinContextRole(c); IsValidRole(role, []Role{\u000a RoleAdministrator,\u000a RoleEditor,\u000a RoleReader, // <-- Reader role passes CheckAuth\u000a }) {\u000a c.Next()\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/session.go`, lines 380-386\u000a\u000a```go\u000afunc CheckAdminRole(c *gin.Context) {\u000a if IsAdminRoleContext(c) {\u000a c.Next()\u000a } else {\u000a c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint\u000a }\u000a}\u000a```\u000a\u000a## Proof of Concept\u000a\u000a### Prerequisites\u000a- SiYuan instance accessible over the network (e.g., Docker deployment)\u000a- Valid authentication as any user role (including `Reader`)\u000a\u000a### Steps to Reproduce\u000a\u000a1. Authenticate to SiYuan and obtain a valid session cookie or API token.\u000a\u000a2. **Read all data (confidentiality breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"SELECT * FROM blocks LIMIT 100\"}'\u000a```\u000a\u000a3. **Delete all blocks (integrity/availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DELETE FROM blocks\"}'\u000a```\u000a\u000a4. **Drop tables (availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DROP TABLE blocks\"}'\u000a```\u000a\u000a5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role):\u000a```bash\u000acurl -X POST http://:6806/api/query/sql \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"stmt\": \"SELECT * FROM blocks LIMIT 10\"}'\u000a```\u000a\u000a### Expected Behavior\u000aThe search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`.\u000a\u000a### Actual Behavior\u000aAny authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.\u000a\u000a## Impact\u000a\u000aIn a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):\u000a\u000a- **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.\u000a- **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design.\u000a- **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable.\u000a\u000a## Suggested Fix\u000a\u000aAdd `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`:\u000a\u000a**Option A — Restrict method=2 to admin (recommended):**\u000a\u000aIn `kernel/api/search.go`, add a role check when `method=2`:\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a\u000a // SQL mode requires admin privileges, consistent with /api/query/sql\u000a if method == 2 && !model.IsAdminRoleContext(c) {\u000a ret.Code = -1\u000a ret.Msg = \"SQL search requires administrator privileges\"\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**Option B — Enforce SELECT-only for non-admin users:**\u000a\u000aValidate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32767\u000aSeverity: CRITICAL\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "govway(1,0): CVE-2026-32767: : CVE-2026-32767: OsPackageVulnerability\u000a\u000aSiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32767**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)|\u000a\u000a## Summary\u000a\u000aSiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database.\u000a\u000aThis is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely.\u000a\u000a## Root Cause Analysis\u000a\u000a### The Vulnerable Endpoint\u000a\u000a**File:** `kernel/api/router.go`, line 188\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/search/fullTextSearchBlock\", model.CheckAuth, fullTextSearchBlock)\u000a```\u000a\u000aThis endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader).\u000a\u000a### The Properly Protected Endpoint (for comparison)\u000a\u000a**File:** `kernel/api/router.go`, line 177\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/query/sql\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)\u000a```\u000a\u000aThis endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode.\u000a\u000a### The Vulnerable Code Path\u000a\u000a**File:** `kernel/api/search.go`, lines 389-411\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=\u000a model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/search.go`, lines 1205-1206\u000a\u000a```go\u000acase 2: // SQL\u000a blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)\u000a```\u000a\u000aWhen `method=2`, the raw `query` string is passed directly to `searchBySQL()`.\u000a\u000a**File:** `kernel/model/search.go`, lines 1460-1462\u000a\u000a```go\u000afunc searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {\u000a stmt = strings.TrimSpace(stmt)\u000a blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)\u000a```\u000a\u000a**File:** `kernel/sql/block_query.go`, lines 566-569, 713-714\u000a\u000a```go\u000afunc SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {\u000a parsedStmt, err := sqlparser.Parse(stmt)\u000a if err != nil {\u000a return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution\u000a }\u000a // ...\u000a}\u000a\u000afunc selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {\u000a rows, err := query(stmt) // Executes arbitrary SQL\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/sql/database.go`, lines 1327-1337\u000a\u000a```go\u000afunc query(query string, args ...interface{}) (*sql.Rows, error) {\u000a // ...\u000a return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL\u000a}\u000a```\u000a\u000aGo's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed.\u000a\u000a### Authorization Model\u000a\u000a**File:** `kernel/model/session.go`, lines 201-210\u000a\u000a```go\u000afunc CheckAuth(c *gin.Context) {\u000a // Already authenticated via JWT\u000a if role := GetGinContextRole(c); IsValidRole(role, []Role{\u000a RoleAdministrator,\u000a RoleEditor,\u000a RoleReader, // <-- Reader role passes CheckAuth\u000a }) {\u000a c.Next()\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/session.go`, lines 380-386\u000a\u000a```go\u000afunc CheckAdminRole(c *gin.Context) {\u000a if IsAdminRoleContext(c) {\u000a c.Next()\u000a } else {\u000a c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint\u000a }\u000a}\u000a```\u000a\u000a## Proof of Concept\u000a\u000a### Prerequisites\u000a- SiYuan instance accessible over the network (e.g., Docker deployment)\u000a- Valid authentication as any user role (including `Reader`)\u000a\u000a### Steps to Reproduce\u000a\u000a1. Authenticate to SiYuan and obtain a valid session cookie or API token.\u000a\u000a2. **Read all data (confidentiality breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"SELECT * FROM blocks LIMIT 100\"}'\u000a```\u000a\u000a3. **Delete all blocks (integrity/availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DELETE FROM blocks\"}'\u000a```\u000a\u000a4. **Drop tables (availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DROP TABLE blocks\"}'\u000a```\u000a\u000a5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role):\u000a```bash\u000acurl -X POST http://:6806/api/query/sql \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"stmt\": \"SELECT * FROM blocks LIMIT 10\"}'\u000a```\u000a\u000a### Expected Behavior\u000aThe search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`.\u000a\u000a### Actual Behavior\u000aAny authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.\u000a\u000a## Impact\u000a\u000aIn a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):\u000a\u000a- **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.\u000a- **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design.\u000a- **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable.\u000a\u000a## Suggested Fix\u000a\u000aAdd `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`:\u000a\u000a**Option A — Restrict method=2 to admin (recommended):**\u000a\u000aIn `kernel/api/search.go`, add a role check when `method=2`:\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a\u000a // SQL mode requires admin privileges, consistent with /api/query/sql\u000a if method == 2 && !model.IsAdminRoleContext(c) {\u000a ret.Code = -1\u000a ret.Msg = \"SQL search requires administrator privileges\"\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**Option B — Enforce SELECT-only for non-admin users:**\u000a\u000aValidate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32767\u000aSeverity: CRITICAL\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)", "type" : "CVE-2026-32767" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-4b1da1cc", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32777: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via infinite loop in DTD content parsing\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32777**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)|\u000a\u000alibexpat before 2.7.5 allows an infinite loop while parsing DTD content.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32777\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "govway(1,0): CVE-2026-32777: : CVE-2026-32777: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via infinite loop in DTD content parsing\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32777**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)|\u000a\u000alibexpat before 2.7.5 allows an infinite loop while parsing DTD content.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32777\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)", "type" : "CVE-2026-32777" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-4b3a3abd", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32778: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32778**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)|\u000a\u000alibexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32778\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "govway(1,0): CVE-2026-32778: : CVE-2026-32778: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32778**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)|\u000a\u000alibexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32778\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)", "type" : "CVE-2026-32778" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "hazelcast-5.3.8.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/hazelcast-5.3.8.jar", "fingerprint" : "FALLBACK-2c9ace5a", "lineEnd" : 1, "lineStart" : 1, "message" : "GHSA-72hv-8253-57qq: LanguageSpecificPackageVulnerability\u000a\u000ajackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition\u000a\u000aFor additional help see: **Vulnerability GHSA-72hv-8253-57qq**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|com.fasterxml.jackson.core:jackson-core|2.18.6, 2.21.1, 3.1.0|[GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)|\u000a\u000a### Summary\u000aThe non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).\u000a\u000aThe standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.\u000a\u000a### Details\u000aThe root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation.\u000a\u000a- The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks.\u000a- After parsing, they call `_valueComplete()`, which finalizes the token but does **not** call `resetInt()` or `resetFloat()`.\u000a- The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed.\u000a- Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path.\u000a\u000a### PoC\u000aThe following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.\u000a\u000a```java\u000apackage tools.jackson.core.unittest.dos;\u000a\u000aimport java.nio.charset.StandardCharsets;\u000a\u000aimport org.junit.jupiter.api.Test;\u000a\u000aimport tools.jackson.core.*;\u000aimport tools.jackson.core.exc.StreamConstraintsException;\u000aimport tools.jackson.core.json.JsonFactory;\u000aimport tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;\u000a\u000aimport static org.junit.jupiter.api.Assertions.*;\u000a\u000a/**\u000a * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers\u000a *\u000a * Authors: sprabhav7, rohan-repos\u000a * \u000a * maxNumberLength default = 1000 characters (digits).\u000a * A number with more than 1000 digits should be rejected by any parser.\u000a *\u000a * BUG: The async parser never calls resetInt()/resetFloat() which is where\u000a * validateIntegerLength()/validateFPLength() lives. Instead it calls\u000a * _valueComplete() which skips all number length validation.\u000a *\u000a * CWE-770: Allocation of Resources Without Limits or Throttling\u000a */\u000aclass AsyncParserNumberLengthBypassTest {\u000a\u000a private static final int MAX_NUMBER_LENGTH = 1000;\u000a private static final int TEST_NUMBER_LENGTH = 5000;\u000a\u000a private final JsonFactory factory = new JsonFactory();\u000a\u000a // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength\u000a @Test\u000a void syncParserRejectsLongNumber() throws Exception {\u000a byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);\u000a\u0009\u0009\u000a\u0009\u0009// Output to console\u000a System.out.println(\"[SYNC] Parsing \" + TEST_NUMBER_LENGTH + \"-digit number (limit: \" + MAX_NUMBER_LENGTH + \")\");\u000a try {\u000a try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {\u000a while (p.nextToken() != null) {\u000a if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {\u000a System.out.println(\"[SYNC] Accepted number with \" + p.getText().length() + \" digits — UNEXPECTED\");\u000a }\u000a }\u000a }\u000a fail(\"Sync parser must reject a \" + TEST_NUMBER_LENGTH + \"-digit number\");\u000a } catch (StreamConstraintsException e) {\u000a System.out.println(\"[SYNC] Rejected with StreamConstraintsException: \" + e.getMessage());\u000a }\u000a }\u000a\u000a // VULNERABILITY: Async parser accepts the SAME number that sync rejects\u000a @Test\u000a void asyncParserAcceptsLongNumber() throws Exception {\u000a byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);\u000a\u000a NonBlockingByteArrayJsonParser p =\u000a (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());\u000a p.feedInput(payload, 0, payload.length);\u000a p.endOfInput();\u000a\u000a boolean foundNumber = false;\u000a try {\u000a while (p.nextToken() != null) {\u000a if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {\u000a foundNumber = true;\u000a String numberText = p.getText();\u000a assertEquals(TEST_NUMBER_LENGTH, numberText.length(),\u000a \"Async parser silently accepted all \" + TEST_NUMBER_LENGTH + \" digits\");\u000a }\u000a }\u000a // Output to console\u000a System.out.println(\"[ASYNC INT] Accepted number with \" + TEST_NUMBER_LENGTH + \" digits — BUG CONFIRMED\");\u000a assertTrue(foundNumber, \"Parser should have produced a VALUE_NUMBER_INT token\");\u000a } catch (StreamConstraintsException e) {\u000a fail(\"Bug is fixed — async parser now correctly rejects long numbers: \" + e.getMessage());\u000a }\u000a p.close();\u000a }\u000a\u000a private byte[] buildPayloadWithLongInteger(int numDigits) {\u000a StringBuilder sb = new StringBuilder(numDigits + 10);\u000a sb.append(\"{\\\"v\\\":\");\u000a for (int i = 0; i < numDigits; i++) {\u000a sb.append((char) ('1' + (i % 9)));\u000a }\u000a sb.append('}');\u000a return sb.toString().getBytes(StandardCharsets.UTF_8);\u000a }\u000a}\u000a\u000a```\u000a\u000a\u000a### Impact\u000aA malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:\u000a1. **Memory Exhaustion:** Unbounded allocation of memory in the `TextBuffer` to store the number's digits, leading to an `OutOfMemoryError`.\u000a2. **CPU Exhaustion:** If the application subsequently calls `getBigIntegerValue()` or `getDecimalValue()`, the JVM can be tied up in O(n^2) `BigInteger` parsing operations, leading to a CPU-based DoS.\u000a\u000a### Suggested Remediation\u000a\u000aThe async parsing path should be updated to respect the `maxNumberLength` constraint. The simplest fix appears to ensure that `_valueComplete()` or a similar method in the async path calls the appropriate validation methods (`resetInt()` or `resetFloat()`) already present in `ParserBase`, mirroring the behavior of the synchronous parsers.\u000a\u000a**NOTE:** This research was performed in collaboration with [rohan-repos](https://github.com/rohan-repos)\u000a\u000aPackage: com.fasterxml.jackson.core:jackson-core\u000aInstalled Version: 2.15.2\u000aVulnerability GHSA-72hv-8253-57qq\u000aSeverity: HIGH\u000aFixed Version: 2.18.6, 2.21.1, 3.1.0\u000aLink: [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "hazelcast-5.3.8.jar(1,0): GHSA-72hv-8253-57qq: : GHSA-72hv-8253-57qq: LanguageSpecificPackageVulnerability\u000a\u000ajackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition\u000a\u000aFor additional help see: **Vulnerability GHSA-72hv-8253-57qq**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|com.fasterxml.jackson.core:jackson-core|2.18.6, 2.21.1, 3.1.0|[GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)|\u000a\u000a### Summary\u000aThe non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).\u000a\u000aThe standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.\u000a\u000a### Details\u000aThe root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation.\u000a\u000a- The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks.\u000a- After parsing, they call `_valueComplete()`, which finalizes the token but does **not** call `resetInt()` or `resetFloat()`.\u000a- The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed.\u000a- Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path.\u000a\u000a### PoC\u000aThe following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.\u000a\u000a```java\u000apackage tools.jackson.core.unittest.dos;\u000a\u000aimport java.nio.charset.StandardCharsets;\u000a\u000aimport org.junit.jupiter.api.Test;\u000a\u000aimport tools.jackson.core.*;\u000aimport tools.jackson.core.exc.StreamConstraintsException;\u000aimport tools.jackson.core.json.JsonFactory;\u000aimport tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;\u000a\u000aimport static org.junit.jupiter.api.Assertions.*;\u000a\u000a/**\u000a * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers\u000a *\u000a * Authors: sprabhav7, rohan-repos\u000a * \u000a * maxNumberLength default = 1000 characters (digits).\u000a * A number with more than 1000 digits should be rejected by any parser.\u000a *\u000a * BUG: The async parser never calls resetInt()/resetFloat() which is where\u000a * validateIntegerLength()/validateFPLength() lives. Instead it calls\u000a * _valueComplete() which skips all number length validation.\u000a *\u000a * CWE-770: Allocation of Resources Without Limits or Throttling\u000a */\u000aclass AsyncParserNumberLengthBypassTest {\u000a\u000a private static final int MAX_NUMBER_LENGTH = 1000;\u000a private static final int TEST_NUMBER_LENGTH = 5000;\u000a\u000a private final JsonFactory factory = new JsonFactory();\u000a\u000a // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength\u000a @Test\u000a void syncParserRejectsLongNumber() throws Exception {\u000a byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);\u000a\u0009\u0009\u000a\u0009\u0009// Output to console\u000a System.out.println(\"[SYNC] Parsing \" + TEST_NUMBER_LENGTH + \"-digit number (limit: \" + MAX_NUMBER_LENGTH + \")\");\u000a try {\u000a try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {\u000a while (p.nextToken() != null) {\u000a if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {\u000a System.out.println(\"[SYNC] Accepted number with \" + p.getText().length() + \" digits — UNEXPECTED\");\u000a }\u000a }\u000a }\u000a fail(\"Sync parser must reject a \" + TEST_NUMBER_LENGTH + \"-digit number\");\u000a } catch (StreamConstraintsException e) {\u000a System.out.println(\"[SYNC] Rejected with StreamConstraintsException: \" + e.getMessage());\u000a }\u000a }\u000a\u000a // VULNERABILITY: Async parser accepts the SAME number that sync rejects\u000a @Test\u000a void asyncParserAcceptsLongNumber() throws Exception {\u000a byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);\u000a\u000a NonBlockingByteArrayJsonParser p =\u000a (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());\u000a p.feedInput(payload, 0, payload.length);\u000a p.endOfInput();\u000a\u000a boolean foundNumber = false;\u000a try {\u000a while (p.nextToken() != null) {\u000a if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {\u000a foundNumber = true;\u000a String numberText = p.getText();\u000a assertEquals(TEST_NUMBER_LENGTH, numberText.length(),\u000a \"Async parser silently accepted all \" + TEST_NUMBER_LENGTH + \" digits\");\u000a }\u000a }\u000a // Output to console\u000a System.out.println(\"[ASYNC INT] Accepted number with \" + TEST_NUMBER_LENGTH + \" digits — BUG CONFIRMED\");\u000a assertTrue(foundNumber, \"Parser should have produced a VALUE_NUMBER_INT token\");\u000a } catch (StreamConstraintsException e) {\u000a fail(\"Bug is fixed — async parser now correctly rejects long numbers: \" + e.getMessage());\u000a }\u000a p.close();\u000a }\u000a\u000a private byte[] buildPayloadWithLongInteger(int numDigits) {\u000a StringBuilder sb = new StringBuilder(numDigits + 10);\u000a sb.append(\"{\\\"v\\\":\");\u000a for (int i = 0; i < numDigits; i++) {\u000a sb.append((char) ('1' + (i % 9)));\u000a }\u000a sb.append('}');\u000a return sb.toString().getBytes(StandardCharsets.UTF_8);\u000a }\u000a}\u000a\u000a```\u000a\u000a\u000a### Impact\u000aA malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:\u000a1. **Memory Exhaustion:** Unbounded allocation of memory in the `TextBuffer` to store the number's digits, leading to an `OutOfMemoryError`.\u000a2. **CPU Exhaustion:** If the application subsequently calls `getBigIntegerValue()` or `getDecimalValue()`, the JVM can be tied up in O(n^2) `BigInteger` parsing operations, leading to a CPU-based DoS.\u000a\u000a### Suggested Remediation\u000a\u000aThe async parsing path should be updated to respect the `maxNumberLength` constraint. The simplest fix appears to ensure that `_valueComplete()` or a similar method in the async path calls the appropriate validation methods (`resetInt()` or `resetFloat()`) already present in `ParserBase`, mirroring the behavior of the synchronous parsers.\u000a\u000a**NOTE:** This research was performed in collaboration with [rohan-repos](https://github.com/rohan-repos)\u000a\u000aPackage: com.fasterxml.jackson.core:jackson-core\u000aInstalled Version: 2.15.2\u000aVulnerability GHSA-72hv-8253-57qq\u000aSeverity: HIGH\u000aFixed Version: 2.18.6, 2.21.1, 3.1.0\u000aLink: [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)", "type" : "GHSA-72hv-8253-57qq" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-19072676", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "type" : "CVE-2023-34396" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "jasperreports-6.20.0.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/jasperreports-6.20.0.jar", "fingerprint" : "FALLBACK-b0f36103", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-10492: LanguageSpecificPackageVulnerability\u000a\u000aJasperReports has a Java deserialisation vulnerability\u000a\u000aFor additional help see: **Vulnerability CVE-2025-10492**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)|\u000a\u000aA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u000a\u000aPackage: net.sf.jasperreports:jasperreports\u000aInstalled Version: 6.20.0\u000aVulnerability CVE-2025-10492\u000aSeverity: HIGH\u000aFixed Version: 7.0.4\u000aLink: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "jasperreports-6.20.0.jar(1,0): CVE-2025-10492: : CVE-2025-10492: LanguageSpecificPackageVulnerability\u000a\u000aJasperReports has a Java deserialisation vulnerability\u000a\u000aFor additional help see: **Vulnerability CVE-2025-10492**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)|\u000a\u000aA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u000a\u000aPackage: net.sf.jasperreports:jasperreports\u000aInstalled Version: 6.20.0\u000aVulnerability CVE-2025-10492\u000aSeverity: HIGH\u000aFixed Version: 7.0.4\u000aLink: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)", "type" : "CVE-2025-10492" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-19072676", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "type" : "CVE-2023-34396" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "jasperreports-6.20.0.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/jasperreports-6.20.0.jar", "fingerprint" : "FALLBACK-b0f36103", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-10492: LanguageSpecificPackageVulnerability\u000a\u000aJasperReports has a Java deserialisation vulnerability\u000a\u000aFor additional help see: **Vulnerability CVE-2025-10492**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)|\u000a\u000aA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u000a\u000aPackage: net.sf.jasperreports:jasperreports\u000aInstalled Version: 6.20.0\u000aVulnerability CVE-2025-10492\u000aSeverity: HIGH\u000aFixed Version: 7.0.4\u000aLink: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "jasperreports-6.20.0.jar(1,0): CVE-2025-10492: : CVE-2025-10492: LanguageSpecificPackageVulnerability\u000a\u000aJasperReports has a Java deserialisation vulnerability\u000a\u000aFor additional help see: **Vulnerability CVE-2025-10492**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)|\u000a\u000aA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u000a\u000aPackage: net.sf.jasperreports:jasperreports\u000aInstalled Version: 6.20.0\u000aVulnerability CVE-2025-10492\u000aSeverity: HIGH\u000aFixed Version: 7.0.4\u000aLink: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)", "type" : "CVE-2025-10492" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-19072676", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "type" : "CVE-2023-34396" } ], "size" : 15, "toString" : "15 warnings (high: 7, normal: 8)" }