Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-all/5.0.1/asm-all-5.0.1.jar MD5: 279e80742ddff574fbc87244eb5c9d54 SHA1: 2f7553f50b0d14ed811b849c282da8c1ffc32aae SHA256:94ecde163b4ca3a42425cd830c79197f22d0d1336d471ced6a8a83b07acbf7c8 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile asm-all-5.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-modules-options-api@RELEASE110
File Path: /home/runner/.m2/repository/org/netbeans/external/com-jcraft-jsch/RELEASE110/com-jcraft-jsch-RELEASE110.jar/META-INF/maven/com.jcraft/jsch/pom.xml MD5: f091d901b6894623e47920a163ead7b7 SHA1: 8e82e6a2cb5664170faa2a5abdc297e589a37df1 SHA256:ab8f512039be7f6ae20e18e743b4a9d8a20958494431917da58ae5aaef8a3478 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
File Path: /home/runner/.m2/repository/org/netbeans/external/com-jcraft-jsch/RELEASE110/com-jcraft-jsch-RELEASE110.jar MD5: 94544243ea40626db204a433233fa8bd SHA1: ef081b559591cbd664058504275bea6ed49727be SHA256:730e8087d5638923a7a4da15e2b8c8d3991ab17544611f72153287a0b0d36098 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile com-jcraft-jsch-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/org/netbeans/external/com-jcraft-jzlib/RELEASE110/com-jcraft-jzlib-RELEASE110.jar/META-INF/maven/com.jcraft/jzlib/pom.xml MD5: f84811dfebf939645bb46fa3e8e527b9 SHA1: 7f94fb22988415c5ff3837362f181339358d8016 SHA256:61f74660e028fe64644ff34c01494504a9fb4e06b02875337a0edc2497371a4f Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
File Path: /home/runner/.m2/repository/org/netbeans/external/com-jcraft-jzlib/RELEASE110/com-jcraft-jzlib-RELEASE110.jar MD5: f320471c8f377385ef3722c6c722f834 SHA1: 8faef854f7752a93c5dc471251dd0671e158a60f SHA256:81f8de52c40593f8c41e02ec6215c091c38895474636a031afddd87f8acb266c Referenced In Project/Scope: Close Editor Tabs Left and Right:compile com-jcraft-jzlib-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar MD5: 4e5c3f5e6b0b965ef241d7d72ac8971f SHA1: 1ed471194b02f2c6cb734a0cd6f6f107c673afae SHA256:7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c Referenced In Project/Scope: Close Editor Tabs Left and Right:compile commons-lang3-3.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.6
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/4.4.0/jna-4.4.0.jar MD5: 34d3537524a6c8c134e840e7be601569 SHA1: cb208278274bf12ebdb56c61bd7407e6f774d65a SHA256:c4dadeeecaa90c8847902082aee5eb107fcf59c5d0e63a17fcaf273c0e2d2bd1 Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jna-4.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/4.4.0/jna-platform-4.4.0.jar MD5: 45560bdb5603f1e4297e8156e30fa6d1 SHA1: f396b0ceb7ababb8b4a5ea25e6742ced81e3d86f SHA256:e9dda9e884fc107eb6367710540789a12dfa8ad28be9326b22ca6e352e325499 Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jna-platform-4.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/com/jcraft/jsch.agentproxy.core/0.0.7/jsch.agentproxy.core-0.0.7.jar MD5: 0d4248a640962d82159b4e9c4bb48c76 SHA1: 9bcf818dc9e5247b01b1b18671a12caac293ae40 SHA256:c5cb21fed78fd2c581e40276e428b6407e4801edb0baa1f7ef0c1025d06a3a7f Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jsch.agentproxy.core-0.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/com/jcraft/jsch.agentproxy.pageant/0.0.7/jsch.agentproxy.pageant-0.0.7.jar MD5: 200f22f9b2845e11eaa5f6a8bad51feb SHA1: b40c0d9b10d79a0683ca93e3f70360b3d8045b62 SHA256:609b7b9d00b29021397544652b649045209c41165790612b2b0df6f74c8dfb27 Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jsch.agentproxy.pageant-0.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/com/jcraft/jsch.agentproxy.sshagent/0.0.7/jsch.agentproxy.sshagent-0.0.7.jar MD5: 5c4483e01a032a784be2f0b2ccb983ea SHA1: 5c09a3d2a0562de53cf616794f43f51a3c0a496c SHA256:fd03fdeb40312846a0827cce1b2f93773d0d1ccc134bdb953dfac2d2cd44b321 Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jsch.agentproxy.sshagent-0.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/com/jcraft/jsch.agentproxy.usocket-jna/0.0.7/jsch.agentproxy.usocket-jna-0.0.7.jar MD5: 154b2f744a11226fd8abd92baef84523 SHA1: 98cf51ca8d7882c203729ffa48e9b7be4c50b835 SHA256:57b8169c4877a4820a57df9ec5e5306d195d633d90672d3cc05ea876ba6d4999 Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime jsch.agentproxy.usocket-jna-0.0.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/org/netbeans/external/org-eclipse-jgit/RELEASE110/org-eclipse-jgit-RELEASE110.jar/META-INF/maven/org.eclipse.jgit/org.eclipse.jgit/pom.xml MD5: 01286656475ebddf37a5997b24722ae0 SHA1: 7d15341fae9e9dbd7e93f144b16b28dcec74485d SHA256:a69a900a004a7fc317f0dc3728970bc05be814081ab2955c730f58716387d6c3 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0
In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.
This can happen on checkout (DirCacheCheckout), merge (ResolveMerger��via its WorkingTreeUpdater), pull (PullCommand��using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.
The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.
Setting git configuration option core.symlinks = false��before checking out avoids the problem.
The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ ��and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.
The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
CWE-178 Improper Handling of Case Sensitivity, CWE-59 Improper Link Resolution Before File Access ('Link Following')
File Path: /home/runner/.m2/repository/org/netbeans/external/org-eclipse-jgit/RELEASE110/org-eclipse-jgit-RELEASE110.jar MD5: 51c27cc7516fc686c80376f99701f9c1 SHA1: 47d59dffb5f02470ccfb6c1a5a31b6040a1636e5 SHA256:5659e9ad4e6579fc0a72dff9ed88cbd645d9d4cdb633a720d15143a2ac9f871a Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-eclipse-jgit-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
File Path: /home/runner/.m2/repository/org/netbeans/modules/org-netbeans-bootstrap/RELEASE110/org-netbeans-bootstrap-RELEASE110.jar MD5: c955d38a30cf09a3e7dad7092a2bc4fe SHA1: 4cae8a69b95b74d2bfb1944de7a08088fa908aa9 SHA256:84d5c5a955d5d8639baf32ac9958b3d150c1001076b96563fec820371c8c2e55 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-netbeans-bootstrap-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-modules-options-api@RELEASE110
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
File Path: /home/runner/.m2/repository/org/netbeans/api/org-netbeans-modules-projectuiapi-base/RELEASE110/org-netbeans-modules-projectuiapi-base-RELEASE110.jar MD5: 2a665f1cfe3b4b956e47fa05decd75d6 SHA1: 62b39080e1d70b968b2cf02675dc69762550db8f SHA256:a6d78ec80abc46f714ed84e9b1608a203abf551cb056496a67f434b9e0599ce8 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-netbeans-modules-projectuiapi-base-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.6
The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.
CWE-59 Improper Link Resolution Before File Access ('Link Following')
File Path: /home/runner/.m2/repository/org/netbeans/modules/org-netbeans-modules-subversion/RELEASE110/org-netbeans-modules-subversion-RELEASE110.jar MD5: b1e4fac10965088494d299c6d7ffc7d1 SHA1: db32e30d6f52c609d5e6393e4001b27ae0ae41d3 SHA256:907a5558d10898e5e1f4c0a5ffcf39e08e4a63c2c4e6633f7f0e0c9c684ec353 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-netbeans-modules-subversion-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.6
File Path: /home/runner/.m2/repository/org/netbeans/modules/org-netbeans-modules-versioning-core/RELEASE110/org-netbeans-modules-versioning-core-RELEASE110.jar MD5: eedfe77b5ef5d7fd89a4f05041d876fc SHA1: 61b06c0713b7dd5714b007a048b5a2c0eea4a165 SHA256:8862e9133bbdef94de3d56e0734a6a18467c1e40f9f12b71c0d13062ac737f36 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-netbeans-modules-versioning-core-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.modules/org-netbeans-modules-git@RELEASE110
File Path: /home/runner/.m2/repository/org/netbeans/api/org-openide-util-lookup/RELEASE110/org-openide-util-lookup-RELEASE110.jar MD5: 7081cbb64509a795a2f6be7aafdd7f04 SHA1: afcde9aa1fd6132b77f3d4e0ae89012c8324694a SHA256:b70f8ef33437b6bf4525002f5374f560b980e5a5f74c9f3733a5b1fca792ad59 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile org-openide-util-lookup-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/de.funfried.netbeans.plugins/nb-editor-close-left-right@1.0.6
LGPL, version 2.1: http://creativecommons.org/licenses/LGPL/2.1/
File Path: /home/runner/.m2/repository/net/java/dev/jna/platform/3.4.0/platform-3.4.0.jar MD5: c5057d6dc3a531708e4a91249fadda3f SHA1: e3f70017be8100d3d6923f50b3d2ee17714e9c13 SHA256:ea89d5090c8303ba4e9a0056e6d8a20429f3e021411e950bfd9eba3b6e6cf15c Referenced In Project/Scope: Close Editor Tabs Left and Right:runtime platform-3.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.api/org-netbeans-libs-git@RELEASE110
POM and identification for artifact that was not possible to uniquely identify as a maven dependency.
File Path: /home/runner/.m2/repository/org/netbeans/external/svnClientAdapter-main/RELEASE110/svnClientAdapter-main-RELEASE110.jar MD5: 755fa306d896d2026a2fc3224c392ac5 SHA1: c47ed3bcd8ceaecde3bdeeb7d8d14b577b26f9c8 SHA256:0247352fa4efbb0194705a60a0494bf01db7a4045ea41252980566d029ae41ca Referenced In Project/Scope: Close Editor Tabs Left and Right:compile svnClientAdapter-main-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.modules/org-netbeans-modules-subversion@RELEASE110
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
svnClientAdapter-main-RELEASE110
High
Vendor
jar
package name
svnclientadapter
Highest
Vendor
pom
artifactid
svnClientAdapter-main
Highest
Vendor
pom
artifactid
svnClientAdapter-main
Low
Vendor
pom
groupid
org.netbeans.external
Highest
Vendor
pom
name
Maven definition for svnClientAdapter-main.jar - external part of NetBeans module.
High
Vendor
pom
parent-artifactid
netbeans-parent
Low
Vendor
pom
parent-groupid
org.apache.netbeans
Medium
Product
file
name
svnClientAdapter-main-RELEASE110
High
Product
jar
package name
subversion
Highest
Product
jar
package name
svnclientadapter
Highest
Product
jar
package name
tigris
Highest
Product
manifest: org.tigris.subversion.svnclientadapter
Implementation-Title
org.tigris.subversion.svnclientadapter
Medium
Product
manifest: org.tigris.subversion.svnclientadapter
Specification-Title
SVNClientAdapter
Medium
Product
pom
artifactid
svnClientAdapter-main
Highest
Product
pom
groupid
org.netbeans.external
Highest
Product
pom
name
Maven definition for svnClientAdapter-main.jar - external part of NetBeans module.
POM and identification for artifact that was not possible to uniquely identify as a maven dependency.
File Path: /home/runner/.m2/repository/org/netbeans/external/updater/RELEASE110/updater-RELEASE110.jar MD5: e01e48e0cc306f6a1900991a49ad4bbd SHA1: 28d2f2a61354c8fc9eb00f61e6d0b264600c3a91 SHA256:86de2f5dc2b257733b8471f967ad5ce4ec84e9ace7591961956bf3729649aa28 Referenced In Project/Scope: Close Editor Tabs Left and Right:compile updater-RELEASE110.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.netbeans.modules/org-netbeans-modules-subversion@RELEASE110
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
updater-RELEASE110
High
Vendor
jar
package name
netbeans
Highest
Vendor
jar
package name
updater
Highest
Vendor
Manifest
netbeans-own-library
true
Low
Vendor
pom
artifactid
updater
Highest
Vendor
pom
artifactid
updater
Low
Vendor
pom
groupid
org.netbeans.external
Highest
Vendor
pom
name
Maven definition for updater.jar - external part of NetBeans module.
High
Vendor
pom
parent-artifactid
netbeans-parent
Low
Vendor
pom
parent-groupid
org.apache.netbeans
Medium
Product
file
name
updater-RELEASE110
High
Product
jar
package name
netbeans
Highest
Product
jar
package name
updater
Highest
Product
Manifest
netbeans-own-library
true
Low
Product
pom
artifactid
updater
Highest
Product
pom
groupid
org.netbeans.external
Highest
Product
pom
name
Maven definition for updater.jar - external part of NetBeans module.