{
  "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi",
  "issues" : [
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "commons-lang-2.6.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/commons-lang-2.6.jar",
      "fingerprint" : "FALLBACK-f48ad3a6",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1300",
      "severity" : "NORMAL",
      "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)",
      "type" : "CVE-2025-48924"
    },
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "commons-lang3-3.12.0.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/commons-lang3-3.12.0.jar",
      "fingerprint" : "FALLBACK-9b075b6d",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: org.apache.commons:commons-lang3\u000aInstalled Version: 3.12.0\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: 3.18.0\u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1300",
      "severity" : "NORMAL",
      "toString" : "commons-lang3-3.12.0.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: org.apache.commons:commons-lang3\u000aInstalled Version: 3.12.0\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: 3.18.0\u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)",
      "type" : "CVE-2025-48924"
    },
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "nimbus-jose-jwt-9.37.3.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/nimbus-jose-jwt-9.37.3.jar",
      "fingerprint" : "FALLBACK-ef0d0e",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2025-53864: LanguageSpecificPackageVulnerability\u000a\u000acom.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT\u000a\u000aFor additional help see: **Vulnerability CVE-2025-53864**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|com.nimbusds:nimbus-jose-jwt|10.0.2|[CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)|\u000a\u000aConnect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\u000a\u000aPackage: com.nimbusds:nimbus-jose-jwt\u000aInstalled Version: 9.37.3\u000aVulnerability CVE-2025-53864\u000aSeverity: MEDIUM\u000aFixed Version: 10.0.2\u000aLink: [CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1300",
      "severity" : "NORMAL",
      "toString" : "nimbus-jose-jwt-9.37.3.jar(1,0): CVE-2025-53864: : CVE-2025-53864: LanguageSpecificPackageVulnerability\u000a\u000acom.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT\u000a\u000aFor additional help see: **Vulnerability CVE-2025-53864**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|com.nimbusds:nimbus-jose-jwt|10.0.2|[CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)|\u000a\u000aConnect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\u000a\u000aPackage: com.nimbusds:nimbus-jose-jwt\u000aInstalled Version: 9.37.3\u000aVulnerability CVE-2025-53864\u000aSeverity: MEDIUM\u000aFixed Version: 10.0.2\u000aLink: [CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)",
      "type" : "CVE-2025-53864"
    },
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "snakeyaml-1.33-gov4j-1.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/snakeyaml-1.33-gov4j-1.jar",
      "fingerprint" : "FALLBACK-eebdca5a",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1300",
      "severity" : "HIGH",
      "toString" : "snakeyaml-1.33-gov4j-1.jar(1,0): CVE-2022-1471: : CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)",
      "type" : "CVE-2022-1471"
    }
  ],
  "size" : 4,
  "toString" : "4 warnings (high: 1, normal: 3)"
}