{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang3-3.12.0.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/commons-lang3-3.12.0.jar", "fingerprint" : "FALLBACK-9b075b6d", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: org.apache.commons:commons-lang3\u000aInstalled Version: 3.12.0\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: 3.18.0\u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "NORMAL", "toString" : "commons-lang3-3.12.0.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.commons:commons-lang3|3.18.0|[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: org.apache.commons:commons-lang3\u000aInstalled Version: 3.12.0\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: 3.18.0\u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "nimbus-jose-jwt-9.37.3.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/nimbus-jose-jwt-9.37.3.jar", "fingerprint" : "FALLBACK-ef0d0e", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-53864: LanguageSpecificPackageVulnerability\u000a\u000acom.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT\u000a\u000aFor additional help see: **Vulnerability CVE-2025-53864**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|com.nimbusds:nimbus-jose-jwt|10.0.2|[CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)|\u000a\u000aConnect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\u000a\u000aPackage: com.nimbusds:nimbus-jose-jwt\u000aInstalled Version: 9.37.3\u000aVulnerability CVE-2025-53864\u000aSeverity: MEDIUM\u000aFixed Version: 10.0.2\u000aLink: [CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "NORMAL", "toString" : "nimbus-jose-jwt-9.37.3.jar(1,0): CVE-2025-53864: : CVE-2025-53864: LanguageSpecificPackageVulnerability\u000a\u000acom.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT\u000a\u000aFor additional help see: **Vulnerability CVE-2025-53864**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|com.nimbusds:nimbus-jose-jwt|10.0.2|[CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)|\u000a\u000aConnect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\u000a\u000aPackage: com.nimbusds:nimbus-jose-jwt\u000aInstalled Version: 9.37.3\u000aVulnerability CVE-2025-53864\u000aSeverity: MEDIUM\u000aFixed Version: 10.0.2\u000aLink: [CVE-2025-53864](https://avd.aquasec.com/nvd/cve-2025-53864)", "type" : "CVE-2025-53864" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "snakeyaml-1.33-gov4j-1.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/snakeyaml-1.33-gov4j-1.jar", "fingerprint" : "FALLBACK-eebdca5a", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "HIGH", "toString" : "snakeyaml-1.33-gov4j-1.jar(1,0): CVE-2022-1471: : CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)", "type" : "CVE-2022-1471" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-c899e9a0", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2012-1007: LanguageSpecificPackageVulnerability\u000a\u000astruts: multiple XSS flaws\u000a\u000aFor additional help see: **Vulnerability CVE-2012-1007**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.struts:struts-core||[CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)|\u000a\u000aMultiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2012-1007\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "NORMAL", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2012-1007: : CVE-2012-1007: LanguageSpecificPackageVulnerability\u000a\u000astruts: multiple XSS flaws\u000a\u000aFor additional help see: **Vulnerability CVE-2012-1007**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.struts:struts-core||[CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)|\u000a\u000aMultiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2012-1007\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2012-1007](https://avd.aquasec.com/nvd/cve-2012-1007)", "type" : "CVE-2012-1007" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-28b84752", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2015-0899: LanguageSpecificPackageVulnerability\u000a\u000a1: input validation bypass in MultiPageValidator\u000a\u000aFor additional help see: **Vulnerability CVE-2015-0899**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)|\u000a\u000aThe MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2015-0899\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2015-0899: : CVE-2015-0899: LanguageSpecificPackageVulnerability\u000a\u000a1: input validation bypass in MultiPageValidator\u000a\u000aFor additional help see: **Vulnerability CVE-2015-0899**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)|\u000a\u000aThe MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2015-0899\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2015-0899](https://avd.aquasec.com/nvd/cve-2015-0899)", "type" : "CVE-2015-0899" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-e21260e2", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2016-1181: LanguageSpecificPackageVulnerability\u000a\u000astruts: Vulnerability in ActionForm allows unintended remote operations against components on server memory\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1181**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1181\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2016-1181: : CVE-2016-1181: LanguageSpecificPackageVulnerability\u000a\u000astruts: Vulnerability in ActionForm allows unintended remote operations against components on server memory\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1181**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1181\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1181](https://avd.aquasec.com/nvd/cve-2016-1181)", "type" : "CVE-2016-1181" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "struts-core-1.3.10.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jar", "fingerprint" : "FALLBACK-e22ef9d3", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2016-1182: LanguageSpecificPackageVulnerability\u000a\u000astruts: Improper input validation in Validator\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1182**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1182\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "HIGH", "toString" : "struts-core-1.3.10.jar(1,0): CVE-2016-1182: : CVE-2016-1182: LanguageSpecificPackageVulnerability\u000a\u000astruts: Improper input validation in Validator\u000a\u000aFor additional help see: **Vulnerability CVE-2016-1182**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.struts:struts-core||[CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)|\u000a\u000aActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.\u000a\u000aPackage: org.apache.struts:struts-core\u000aInstalled Version: 1.3.10\u000aVulnerability CVE-2016-1182\u000aSeverity: HIGH\u000aFixed Version: \u000aLink: [CVE-2016-1182](https://avd.aquasec.com/nvd/cve-2016-1182)", "type" : "CVE-2016-1182" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "commons-lang-2.6.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/commons-lang-2.6.jar", "fingerprint" : "FALLBACK-f48ad3a6", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1301", "severity" : "NORMAL", "toString" : "commons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability\u000a\u000acommons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang\u000a\u000aFor additional help see: **Vulnerability CVE-2025-48924**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)|\u000a\u000aUncontrolled Recursion vulnerability in Apache Commons Lang.\u000a\u000aThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\u000a\u000aThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \u000aStackOverflowError could cause an application to stop.\u000a\u000aUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u000a\u000aPackage: commons-lang:commons-lang\u000aInstalled Version: 2.6\u000aVulnerability CVE-2025-48924\u000aSeverity: MEDIUM\u000aFixed Version: \u000aLink: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)", "type" : "CVE-2025-48924" } ], "size" : 9, "toString" : "9 warnings (high: 4, normal: 5)" }