{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "log4j-core-2.25.3.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/log4j-core-2.25.3.jar", "fingerprint" : "FALLBACK-6610c7f6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-34480: LanguageSpecificPackageVulnerability\u000a\u000aApache Log4j Core's XmlLayout fails to sanitize characters\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34480**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.logging.log4j:log4j-core|2.25.4, 3.0.0-beta3|[CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)|\u000a\u000aApache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.\u000a\u000aThe impact depends on the StAX implementation in use:\u000a\u000a * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\u000a * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\u000a\u000a\u000aUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.\u000a\u000aPackage: org.apache.logging.log4j:log4j-core\u000aInstalled Version: 2.25.3\u000aVulnerability CVE-2026-34480\u000aSeverity: MEDIUM\u000aFixed Version: 2.25.4, 3.0.0-beta3\u000aLink: [CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "log4j-core-2.25.3.jar(1,0): CVE-2026-34480: : CVE-2026-34480: LanguageSpecificPackageVulnerability\u000a\u000aApache Log4j Core's XmlLayout fails to sanitize characters\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34480**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.logging.log4j:log4j-core|2.25.4, 3.0.0-beta3|[CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)|\u000a\u000aApache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.\u000a\u000aThe impact depends on the StAX implementation in use:\u000a\u000a * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\u000a * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\u000a\u000a\u000aUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.\u000a\u000aPackage: org.apache.logging.log4j:log4j-core\u000aInstalled Version: 2.25.3\u000aVulnerability CVE-2026-34480\u000aSeverity: MEDIUM\u000aFixed Version: 2.25.4, 3.0.0-beta3\u000aLink: [CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)", "type" : "CVE-2026-34480" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "log4j-layout-template-json-2.25.3.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/log4j-layout-template-json-2.25.3.jar", "fingerprint" : "FALLBACK-78a9f3ba", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-34481: LanguageSpecificPackageVulnerability\u000a\u000aApache Log4j's JsonTemplateLayout produces invalid JSON output when log events contain non-finite floating-point values\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34481**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.logging.log4j:log4j-layout-template-json|2.25.4, 3.0.0-beta3|[CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)|\u000a\u000aApache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\u000a\u000aAn attacker can exploit this issue only if both of the following conditions are met:\u000a\u000a * The application uses JsonTemplateLayout.\u000a * The application logs a MapMessage containing an attacker-controlled floating-point value.\u000a\u000a\u000aUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.\u000a\u000aPackage: org.apache.logging.log4j:log4j-layout-template-json\u000aInstalled Version: 2.25.3\u000aVulnerability CVE-2026-34481\u000aSeverity: MEDIUM\u000aFixed Version: 2.25.4, 3.0.0-beta3\u000aLink: [CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "log4j-layout-template-json-2.25.3.jar(1,0): CVE-2026-34481: : CVE-2026-34481: LanguageSpecificPackageVulnerability\u000a\u000aApache Log4j's JsonTemplateLayout produces invalid JSON output when log events contain non-finite floating-point values\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34481**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.logging.log4j:log4j-layout-template-json|2.25.4, 3.0.0-beta3|[CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)|\u000a\u000aApache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\u000a\u000aAn attacker can exploit this issue only if both of the following conditions are met:\u000a\u000a * The application uses JsonTemplateLayout.\u000a * The application logs a MapMessage containing an attacker-controlled floating-point value.\u000a\u000a\u000aUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.\u000a\u000aPackage: org.apache.logging.log4j:log4j-layout-template-json\u000aInstalled Version: 2.25.3\u000aVulnerability CVE-2026-34481\u000aSeverity: MEDIUM\u000aFixed Version: 2.25.4, 3.0.0-beta3\u000aLink: [CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)", "type" : "CVE-2026-34481" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "spring-security-web-5.8.16.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/spring-security-web-5.8.16.jar", "fingerprint" : "FALLBACK-db203dab", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-22732: LanguageSpecificPackageVulnerability\u000a\u000aSpring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers\u000a\u000aFor additional help see: **Vulnerability CVE-2026-22732**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)|\u000a\u000aWhen applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \u000aThis issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:\u000a\u000a: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.\u000a\u000aPackage: org.springframework.security:spring-security-web\u000aInstalled Version: 5.8.16\u000aVulnerability CVE-2026-22732\u000aSeverity: CRITICAL\u000aFixed Version: 6.5.9, 7.0.4\u000aLink: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "spring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability\u000a\u000aSpring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers\u000a\u000aFor additional help see: **Vulnerability CVE-2026-22732**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)|\u000a\u000aWhen applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \u000aThis issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:\u000a\u000a: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.\u000a\u000aPackage: org.springframework.security:spring-security-web\u000aInstalled Version: 5.8.16\u000aVulnerability CVE-2026-22732\u000aSeverity: CRITICAL\u000aFixed Version: 6.5.9, 7.0.4\u000aLink: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)", "type" : "CVE-2026-22732" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-19072676", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability\u000a\u000aApache Struts vulnerable to memory exhaustion\u000a\u000aFor additional help see: **Vulnerability CVE-2023-34396**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)|\u000a\u000aAllocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\u000a\u000aUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2023-34396\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)", "type" : "CVE-2023-34396" } ], "size" : 5, "toString" : "5 warnings (high: 2, normal: 3)" }