Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: Close Editor Tabs Left and Right

de.funfried.netbeans.plugins:nb-editor-close-left-right:1.0.8-SNAPSHOT

Scan Information (show all):

Summary

Summary of Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
JavaEWAH-1.1.13.jarpkg:maven/com.googlecode.javaewah/JavaEWAH@1.1.13 033
asm-all-5.0.1.jarpkg:maven/org.ow2.asm/asm-all@5.0.1 028
commons-io-2.20.0.jarcpe:2.3:a:apache:commons_io:2.20.0:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.20.0 0Highest125
commons-lang3-3.19.0.jarcpe:2.3:a:apache:commons_lang:3.19.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-lang3@3.19.0 0Highest145
commons-text-1.14.0.jarcpe:2.3:a:apache:commons_text:1.14.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-text@1.14.0 0Highest73
eddsa-0.3.0.jarcpe:2.3:a:4d:4d:0.3.0:*:*:*:*:*:*:*pkg:maven/net.i2p.crypto/eddsa@0.3.0 0Low33
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 020
jcl-over-slf4j-1.7.36.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.36 033
maven-scm-api-2.2.1.jarpkg:maven/org.apache.maven.scm/maven-scm-api@2.2.1 026
maven-scm-provider-git-commons-2.2.1.jarpkg:maven/org.apache.maven.scm/maven-scm-provider-git-commons@2.2.1 030
maven-scm-provider-gitexe-2.2.1.jarpkg:maven/org.apache.maven.scm/maven-scm-provider-gitexe@2.2.1 028
maven-scm-provider-jgit-2.2.1.jarpkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1 028
org-netbeans-bootstrap-RELEASE110.jarcpe:2.3:a:apache:apr-util:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:netbeans:ase110:*:*:*:*:*:*:*		pkg:maven/org.netbeans.modules/org-netbeans-bootstrap@RELEASE110HIGH6Highest29
org-netbeans-modules-projectapi-RELEASE110.jarcpe:2.3:a:apache:netbeans:ase110:*:*:*:*:*:*:*pkg:maven/org.netbeans.api/org-netbeans-modules-projectapi@RELEASE110 0Medium33
org-netbeans-modules-projectuiapi-base-RELEASE110.jarcpe:2.3:a:base-files_project:base-files:10.1ubuntu2.2:*:*:*:*:*:*:*pkg:maven/org.netbeans.api/org-netbeans-modules-projectuiapi-base@RELEASE110HIGH1Highest32
org-openide-util-lookup-RELEASE110.jarpkg:maven/org.netbeans.api/org-openide-util-lookup@RELEASE110 027
org.eclipse.jgit-5.13.3.202401111512-r.jarcpe:2.3:a:eclipse:jgit:5.13.3:202401111512:*:*:*:*:*:*pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.13.3.202401111512-rHIGH2Highest38
plexus-interactivity-api-1.4.jarpkg:maven/org.codehaus.plexus/plexus-interactivity-api@1.4 026
plexus-utils-4.0.2.jarcpe:2.3:a:codehaus-plexus:plexus-utils:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:utils_project:utils:4.0.2:*:*:*:*:*:*:*		pkg:maven/org.codehaus.plexus/plexus-utils@4.0.2 0Highest219
plexus-xml-3.0.1.jarpkg:maven/org.codehaus.plexus/plexus-xml@3.0.1 029
slf4j-api-1.7.36.jarpkg:maven/org.slf4j/slf4j-api@1.7.36 029
sshd-core-2.7.0.jarcpe:2.3:a:apache:sshd:2.7.0:*:*:*:*:*:*:*pkg:maven/org.apache.sshd/sshd-core@2.7.0CRITICAL3Highest26

Dependencies (vulnerable)

JavaEWAH-1.1.13.jar

Description:

The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.
  JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.
  The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme.

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/googlecode/javaewah/JavaEWAH/1.1.13/JavaEWAH-1.1.13.jar
MD5: a1eb305e5cc5bba238d4360e3139abb4
SHA1: 32cd724a42dc73f99ca08453d11a4bb83e0034c7
SHA256:4c0fda2b1d317750d7ea324e36c70b2bc48310c0aaae67b98df0915d696d7111
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
JavaEWAH-1.1.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

  • pkg:maven/com.googlecode.javaewah/JavaEWAH@1.1.13  (Confidence:High)

asm-all-5.0.1.jar

File Path: /home/runner/.m2/repository/org/ow2/asm/asm-all/5.0.1/asm-all-5.0.1.jar
MD5: 279e80742ddff574fbc87244eb5c9d54
SHA1: 2f7553f50b0d14ed811b849c282da8c1ffc32aae
SHA256:94ecde163b4ca3a42425cd830c79197f22d0d1336d471ced6a8a83b07acbf7c8
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
asm-all-5.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-modules-options-api@RELEASE110

Identifiers

  • pkg:maven/org.ow2.asm/asm-all@5.0.1  (Confidence:High)

commons-io-2.20.0.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-io/commons-io/2.20.0/commons-io-2.20.0.jar
MD5: 94e7e6b9b5fe82388687b584d3571081
SHA1: 36f3474daec2849c149e877614e7f979b2082cd2
SHA256:df90bba0fe3cb586b7f164e78fe8f8f4da3f2dd5c27fa645f888100ccc25dd72
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
commons-io-2.20.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-gitexe@2.2.1

Identifiers

commons-lang3-3.19.0.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

  The code is tested using the latest revision of the JDK for supported
  LTS releases: 8, 11, 17 and 21 currently.
  See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
  
  Please ensure your build environment is up-to-date and kindly report any build issues.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.19.0/commons-lang3-3.19.0.jar
MD5: 2ac2db154e365d55d167ec1215125a3a
SHA1: d6524b169a6574cd253760c472d419b47bfd37e6
SHA256:32733ab4bc90b45b63eb72677d886961003fd4ed113e07b1028f9877cb2ac735
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
commons-lang3-3.19.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

commons-text-1.14.0.jar

Description:

Apache Commons Text is a set of utility functions and reusable components for processing
    and manipulating text in a Java environment.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar
MD5: 54960a12a82d52df3d5548d6934d87b2
SHA1: adcb0d4c67eabc79682604b47eb852aaff21138a
SHA256:121fce2282910c8f0c3ba793a5436b31beb710423cbe2d574a3fb7a73c508e92
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
commons-text-1.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-gitexe@2.2.1

Identifiers

eddsa-0.3.0.jar

Description:

Implementation of EdDSA in Java

License:

CC0 1.0 Universal: https://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/runner/.m2/repository/net/i2p/crypto/eddsa/0.3.0/eddsa-0.3.0.jar
MD5: ee7de3b6f19de76a06e465efc978f669
SHA1: 1901c8d4d8bffb7d79027686cfb91e704217c3e1
SHA256:4dda1120db856640dbec04140ed23242215a075fe127bdefa0dcfa29fb31267d
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
eddsa-0.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

  • pkg:maven/net.i2p.crypto/eddsa@0.3.0  (Confidence:High)
  • cpe:2.3:a:4d:4d:0.3.0:*:*:*:*:*:*:*  (Confidence:Low)  

javax.inject-1.jar

Description:

The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
javax.inject-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-gitexe@2.2.1

Identifiers

  • pkg:maven/javax.inject/javax.inject@1  (Confidence:High)

jcl-over-slf4j-1.7.36.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.36/jcl-over-slf4j-1.7.36.jar
MD5: 8065610cde33ed9fd5d34367912c1938
SHA1: d877e195a05aca4a2f1ad2ff14bfec1393af4b5e
SHA256:ab57ca8fd223772c17365d121f59e94ecbf0ae59d08c03a3cb5b81071c019195
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
jcl-over-slf4j-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

  • pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36  (Confidence:High)

maven-scm-api-2.2.1.jar

Description:

The SCM API provides mechanisms to manage all SCM tools.

File Path: /home/runner/.m2/repository/org/apache/maven/scm/maven-scm-api/2.2.1/maven-scm-api-2.2.1.jar
MD5: 1ef6b239f79a41c52e4eb871ddaa3c13
SHA1: 451345bd695fa717ec2ceb177d3543153cd3d77d
SHA256:d843c0611a21191e4a34804152c8bd9ec364f41e076713df8db99f6df7f386d3
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
maven-scm-api-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

  • pkg:maven/org.apache.maven.scm/maven-scm-api@2.2.1  (Confidence:High)

maven-scm-provider-git-commons-2.2.1.jar

Description:

Common library for SCM Git Provider.

File Path: /home/runner/.m2/repository/org/apache/maven/scm/maven-scm-provider-git-commons/2.2.1/maven-scm-provider-git-commons-2.2.1.jar
MD5: 27481c012ba069b900c3c8e7f2b4a79c
SHA1: ecffb44a1ef2fedea19ea361a676364046679a69
SHA256:2002d91bf483d6ec6686c12f12a1cdcc21330d3547aa8cc15ed7e9eee543ae10
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
maven-scm-provider-git-commons-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

  • pkg:maven/org.apache.maven.scm/maven-scm-provider-git-commons@2.2.1  (Confidence:High)

maven-scm-provider-gitexe-2.2.1.jar

Description:

SCM Git Provider relying on the Git CLI

File Path: /home/runner/.m2/repository/org/apache/maven/scm/maven-scm-provider-gitexe/2.2.1/maven-scm-provider-gitexe-2.2.1.jar
MD5: d2d9bd2231cb02449f93274809d98754
SHA1: fcf03560d007dc1c4c9da27ee481933bae7ed274
SHA256:e39b2dbc6e7c2c678648aeee3e7698c0f67678b938d05bf9b14c7826a5458adb
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
maven-scm-provider-gitexe-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

  • pkg:maven/org.apache.maven.scm/maven-scm-provider-gitexe@2.2.1  (Confidence:High)

maven-scm-provider-jgit-2.2.1.jar

Description:

JGIT implementation for SCM Git Provider.
    see http://eclipse.org/jgit/

File Path: /home/runner/.m2/repository/org/apache/maven/scm/maven-scm-provider-jgit/2.2.1/maven-scm-provider-jgit-2.2.1.jar
MD5: e97c61467207996d7f472cca4600d223
SHA1: 7bcf1817d07349affbfbc3434fb17dfd336a229c
SHA256:390d3d0a0ec09cd5d9ce4260351bd23b54e36b24770332ab67621fb51ee30172
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
maven-scm-provider-jgit-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

  • pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1  (Confidence:High)

org-netbeans-bootstrap-RELEASE110.jar

File Path: /home/runner/.m2/repository/org/netbeans/modules/org-netbeans-bootstrap/RELEASE110/org-netbeans-bootstrap-RELEASE110.jar
MD5: c955d38a30cf09a3e7dad7092a2bc4fe
SHA1: 4cae8a69b95b74d2bfb1944de7a08088fa908aa9
SHA256:84d5c5a955d5d8639baf32ac9958b3d150c1001076b96563fec820371c8c2e55
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
org-netbeans-bootstrap-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-modules-options-api@RELEASE110

Identifiers

CVE-2009-2412  

Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows.  NOTE: some of these details are obtained from third party information.
CWE-189 Numeric Errors

CVSSv2:
  • Base Score: HIGH (10.0)
  • Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1955  

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A
CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1956  

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
CWE-189 Numeric Errors

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2010-1623  

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2009-0023  

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2011-1928  

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.  NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

org-netbeans-modules-projectapi-RELEASE110.jar

File Path: /home/runner/.m2/repository/org/netbeans/api/org-netbeans-modules-projectapi/RELEASE110/org-netbeans-modules-projectapi-RELEASE110.jar
MD5: 49976d13e55ee444c17bd32665a47247
SHA1: f313397dc63baeb2f2b16fc95c73df935476f2d1
SHA256:d97b1beb5d25825a1956675465c70f0ab5e5db267a4d19bdaa02c196cfc5bc54
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
org-netbeans-modules-projectapi-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

org-netbeans-modules-projectuiapi-base-RELEASE110.jar

File Path: /home/runner/.m2/repository/org/netbeans/api/org-netbeans-modules-projectuiapi-base/RELEASE110/org-netbeans-modules-projectuiapi-base-RELEASE110.jar
MD5: 2a665f1cfe3b4b956e47fa05decd75d6
SHA1: 62b39080e1d70b968b2cf02675dc69762550db8f
SHA256:a6d78ec80abc46f714ed84e9b1608a203abf551cb056496a67f434b9e0599ce8
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
org-netbeans-modules-projectuiapi-base-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

CVE-2018-6557  

The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A
CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions:

org-openide-util-lookup-RELEASE110.jar

File Path: /home/runner/.m2/repository/org/netbeans/api/org-openide-util-lookup/RELEASE110/org-openide-util-lookup-RELEASE110.jar
MD5: 7081cbb64509a795a2f6be7aafdd7f04
SHA1: afcde9aa1fd6132b77f3d4e0ae89012c8324694a
SHA256:b70f8ef33437b6bf4525002f5374f560b980e5a5f74c9f3733a5b1fca792ad59
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
org-openide-util-lookup-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.8-SNAPSHOT

Identifiers

  • pkg:maven/org.netbeans.api/org-openide-util-lookup@RELEASE110  (Confidence:High)

org.eclipse.jgit-5.13.3.202401111512-r.jar

Description:

    Repository access and algorithms

File Path: /home/runner/.m2/repository/org/eclipse/jgit/org.eclipse.jgit/5.13.3.202401111512-r/org.eclipse.jgit-5.13.3.202401111512-r.jar
MD5: 37a213f59c76b11db423c37a1bfe084f
SHA1: 7949cce60ba913f99259a0f421ab5ebf6c2524b4
SHA256:dacb74c28b089bc378f8c2a1dcda5110c20f52124f5a020aef2684d70ef7f1bb
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
org.eclipse.jgit-5.13.3.202401111512-r.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

CVE-2023-4759  

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.


The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
CWE-59 Improper Link Resolution Before File Access ('Link Following'), CWE-178 Improper Handling of Case Sensitivity

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2025-4949  

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
CWE-611 Improper Restriction of XML External Entity Reference, CWE-827 Improper Control of Document Type Definition

CVSSv4:
  • Base Score: MEDIUM (6.8)
  • Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

plexus-interactivity-api-1.4.jar

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-interactivity-api/1.4/plexus-interactivity-api-1.4.jar
MD5: 786445feb10c620690d33af22773e556
SHA1: 089039c8d54a2dc00524274d98fb5183818099f7
SHA256:3d82c3b8afb0ac42d0087adbb6d9aa77e7253beb6e8b31f9159a3fcd74d5ee3c
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
plexus-interactivity-api-1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

  • pkg:maven/org.codehaus.plexus/plexus-interactivity-api@1.4  (Confidence:High)

plexus-utils-4.0.2.jar

Description:

A collection of various utility classes to ease working with strings, files, command lines and
    more.

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-utils/4.0.2/plexus-utils-4.0.2.jar
MD5: 4cfdd73e436702d319d551a44fcea500
SHA1: 9526a9548b302572f23337fcc217fb4cc713b9c3
SHA256:8957274e75fe2c278b1428dd16a0daeee1dd38152cb6eff816177ac28fccb697
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
plexus-utils-4.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-api@2.2.1

Identifiers

plexus-xml-3.0.1.jar

Description:

A collection of various utility classes to ease working with XML in Maven 3.

File Path: /home/runner/.m2/repository/org/codehaus/plexus/plexus-xml/3.0.1/plexus-xml-3.0.1.jar
MD5: cd868918ebc742350840124ea4422ab0
SHA1: b0e73c21402f03c2765674b8dede21673b3288cf
SHA256:c1a510a87a62bd2d74ac1472dd31c3f9e9b0b8b8568f37d77c0f135415bebd05
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
plexus-xml-3.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-git-commons@2.2.1

Identifiers

  • pkg:maven/org.codehaus.plexus/plexus-xml@3.0.1  (Confidence:High)

slf4j-api-1.7.36.jar

Description:

The slf4j API

File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar
MD5: 872da51f5de7f3923da4de871d57fd85
SHA1: 6c62681a2f655b49963a5983b8b0950a6120ae14
SHA256:d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
slf4j-api-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-api@2.2.1

Identifiers

  • pkg:maven/org.slf4j/slf4j-api@1.7.36  (Confidence:High)

sshd-core-2.7.0.jar

File Path: /home/runner/.m2/repository/org/apache/sshd/sshd-core/2.7.0/sshd-core-2.7.0.jar
MD5: 38d8a9c37469025340a1f5bfa68c7f86
SHA1: 6059f31f67f82b815e334faf3758037f473c59bc
SHA256:2f23d666dd1fd3317891d784f324542e236d89658c02adc7c02d137aa556e636
Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
sshd-core-2.7.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.maven.scm/maven-scm-provider-jgit@2.2.1

Identifiers

CVE-2022-45047  

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

    Vulnerable Software & Versions:

    CVE-2023-48795  

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
    CWE-354 Improper Validation of Integrity Check Value

    CVSSv3:
    • Base Score: MEDIUM (5.9)
    • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2023-35887  

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.

In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks.

This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10
    CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    CVSSv3:
    • Base Score: MEDIUM (4.3)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A

    References:

    Vulnerable Software & Versions:



    This report contains data retrieved from the National Vulnerability Database.
    This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
    This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
    This report may contain data retrieved from RetireJS.
    This report may contain data retrieved from the Sonatype OSS Index.