{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "snakeyaml-1.33-gov4j-1.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/snakeyaml-1.33-gov4j-1.jar", "fingerprint" : "FALLBACK-eebdca5a", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1284", "severity" : "HIGH", "toString" : "snakeyaml-1.33-gov4j-1.jar(1,0): CVE-2022-1471: : CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)", "type" : "CVE-2022-1471" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-c899e9a0", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2012-1007: LanguageSpecificPackageVulnerability\u000a\u000astruts: multiple XSS flaws\u000a\u000aFor additional help see: **Vulnerability CVE-2012-1007**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.struts:struts-core||[CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)|\u000a\u000aMultiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2012-1007\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1284", "severity" : "NORMAL", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2012-1007: : CVE-2012-1007: LanguageSpecificPackageVulnerability\u000a\u000astruts: multiple XSS flaws\u000a\u000aFor additional help see: **Vulnerability CVE-2012-1007**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.struts:struts-core||[CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)|\u000a\u000aMultiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2012-1007\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)", "type" : "CVE-2012-1007" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-28b84752", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2015-0899: LanguageSpecificPackageVulnerability\u000a\u000a1: input validation bypass in MultiPageValidator\u000a\u000aFor additional help see: **Vulnerability CVE-2015-0899**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)|\u000a\u000aThe MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2015-0899\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1284", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2015-0899: : CVE-2015-0899: LanguageSpecificPackageVulnerability\u000a\u000a1: input validation bypass in MultiPageValidator\u000a\u000aFor additional help see: **Vulnerability CVE-2015-0899**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)|\u000a\u000aThe MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2015-0899\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)", "type" : "CVE-2015-0899" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-e21260e2", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2016-1181: LanguageSpecificPackageVulnerability\u000a\u000astruts: Vulnerability in ActionForm allows unintended remote operations against components on server memory\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1181**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1181\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1284", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2016-1181: : CVE-2016-1181: LanguageSpecificPackageVulnerability\u000a\u000astruts: Vulnerability in ActionForm allows unintended remote operations against components on server memory\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1181**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1181\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)", "type" : "CVE-2016-1181" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-e22ef9d3", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2016-1182: LanguageSpecificPackageVulnerability\u000a\u000astruts: Improper input validation in Validator\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1182**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1182\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1284", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2016-1182: : CVE-2016-1182: LanguageSpecificPackageVulnerability\u000a\u000astruts: Improper input validation in Validator\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1182**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1182\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)", "type" : "CVE-2016-1182" } ], "size" : 5, "toString" : "5 warnings (high: 4, normal: 1)" }