diff --git a/docs/.gitbook/assets/v1-api-spec.yaml b/docs/.gitbook/assets/v1-api-spec.yaml index e39e1329eec3..de5daa0d296a 100644 --- a/docs/.gitbook/assets/v1-api-spec.yaml +++ b/docs/.gitbook/assets/v1-api-spec.yaml @@ -3,6 +3,7 @@ info: title: Snyk API contact: {} version: '1.0' + description: Snyk V1 API servers: - url: https://api.snyk.io/v1 variables: {} @@ -47,11 +48,6 @@ paths: name: '' username: '' email: '' - example: - id: '' - name: '' - username: '' - email: '' '400': description: The provided `id` is not in a valid format. headers: {} @@ -115,11 +111,6 @@ paths: username: '' email: '' orgs: [] - example: - id: '' - username: '' - email: '' - orgs: [] '401': description: '`API_KEY` is invalid.' headers: {} @@ -818,22 +809,6 @@ paths: slug: my-other-org url: https://api.snyk.io/v1/org/my-other-org created: 2021-06-07T00:00:00.000Z - example: - id: a060a49f-636e-480f-9e14-38e773b2a97f - name: ACME Inc. - url: https://api.snyk.io/v1/group/0dfc509a-e7a9-48ef-9d39-649d6468fc09 - created: 2021-06-07T00:00:00.000Z - orgs: - - name: myDefaultOrg - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - slug: my-default-org - url: https://api.snyk.io/v1/org/default-org - created: 2021-06-07T00:00:00.000Z - - name: My Other Org - id: a04d9cbd-ae6e-44af-b573-0556b0ad4bd2 - slug: my-other-org - url: https://api.snyk.io/v1/org/my-other-org - created: 2021-06-07T00:00:00.000Z deprecated: false /group/{groupId}/roles: get: @@ -975,15 +950,6 @@ paths: group: name: test-group id: 4a18d42f-0706-4ad0-b127-24078731fbed - example: - id: 0356f641-c55c-488f-af05-c2122590f369 - name: new-org - slug: new-org - url: https://api.snyk.io/v1/org/new-org - created: 2021-01-07T16:07:16.237Z - group: - name: test-group - id: 4a18d42f-0706-4ad0-b127-24078731fbed '401': description: Authorization errors. headers: {} @@ -1872,8 +1838,6 @@ paths: - $ref: '#/components/schemas/Addnewintegrationresponse' - example: id: 9a3e5d90-b782-468a-a042-9a2073736f0b - example: - id: 9a3e5d90-b782-468a-a042-9a2073736f0b deprecated: false /org/{orgId}/integrations/{integrationId}: put: @@ -1972,9 +1936,6 @@ paths: - example: id: 9a3e5d90-b782-468a-a042-9a2073736f0b brokerToken: 4a18d42f-0706-4ad0-b127-24078731fbed - example: - id: 9a3e5d90-b782-468a-a042-9a2073736f0b - brokerToken: 4a18d42f-0706-4ad0-b127-24078731fbed deprecated: false /org/{orgId}/integrations/{integrationId}/authentication: delete: @@ -2094,9 +2055,6 @@ paths: - example: id: 9a3e5d90-b782-468a-a042-9a2073736f0b provisionalBrokerToken: 4a18d42f-0706-4ad0-b127-24078731fbed - example: - id: 9a3e5d90-b782-468a-a042-9a2073736f0b - provisionalBrokerToken: 4a18d42f-0706-4ad0-b127-24078731fbed deprecated: false /org/{orgId}/integrations/{integrationId}/authentication/switch-token: post: @@ -2231,10 +2189,7 @@ paths: description: >- #### Required permissions - - `View Organization` - - - `View Integrations` operationId: Getexistingintegrationbytype parameters: @@ -5324,147 +5279,6 @@ paths: id: 689ce7f9-7943-4a71-b704-2ba575f01089 licensesPolicy: null packageManager: maven - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) - functions: [] - from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-5641 - CWE: - - CWE-502 - credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 - licenses: [] - dependencyCount: 1 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: maven deprecated: false /test/maven: post: @@ -5820,231 +5634,6 @@ paths: id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null packageManager: npm - example: - ok: false - issues: - vulnerabilities: - - id: npm:ms:20151024 - url: https://snyk.io/vuln/npm:ms:20151024 - title: Regular Expression Denial of Service (ReDoS) - type: vuln - description: > - ## Overview - - - [ms](https://www.npmjs.com/package/ms) is a tiny millisecond conversion utility. - - - - Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) - - attack when converting a time period string (i.e. `"2 days"`, `"1h"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period. - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process. - - - - The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down. - - - - Let’s take the following regular expression as an example: - - ```js - - regex = /A(B|C+)+D/ - - ``` - - - - This regular expression accomplishes the following: - - - `A` The string must start with the letter 'A' - - - `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section. - - - `D` Finally, we ensure this section of the string ends with a 'D' - - - - The expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD` - - - - It most cases, it doesn't take very long for a regex engine to find a match: - - - - ```bash - - $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' - - 0.04s user 0.01s system 95% cpu 0.052 total - - - - $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' - - 1.79s user 0.02s system 99% cpu 1.812 total - - ``` - - - - The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated. - - - - Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_. - - - - Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's: - - 1. CCC - - 2. CC+C - - 3. C+CC - - 4. C+C+C. - - - - The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match. - - - - From there, the number of steps the engine must use to validate a string just continues to grow. - - - - | String | Number of C's | Number of steps | - - | -------|-------------:| -----:| - - | ACCCX | 3 | 38 - - | ACCCCX | 4 | 71 - - | ACCCCCX | 5 | 136 - - | ACCCCCCCCCCCCCCX | 14 | 65,553 - - - - - - By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service. - - - ## Remediation - - - Upgrade `ms` to version 0.7.1 or higher. - - - - ## References - - - - [OSS Security advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11) - - - - [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - - - - [Security Focus](https://www.securityfocus.com/bid/96389) - functions: - - functionId: - filePath: ms.js - functionName: parse - version: - - '>0.1.0 <=0.3.0' - - functionId: - filePath: index.js - functionName: parse - version: - - '>0.3.0 <0.7.1' - from: - - ms@0.7.0 - package: ms - version: 0.7.0 - severity: medium - exploitMaturity: no-known-exploit - language: js - packageManager: npm - semver: - vulnerable: - - <0.7.1 - publicationTime: 2015-11-06T02:09:36Z - disclosureTime: 2015-10-24T20:39:59Z - isUpgradable: true - isPatchable: true - isPinnable: false - identifiers: - ALTERNATIVE: - - SNYK-JS-MS-10064 - CVE: - - CVE-2015-8315 - CWE: - - CWE-400 - NSP: - - 46 - credit: - - Adam Baldwin - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - cvssScore: 5.3 - patches: - - comments: [] - id: patch:npm:ms:20151024:5 - modificationTime: 2019-12-03T11:40:45.777474Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch - version: =0.1.0 - - comments: [] - id: patch:npm:ms:20151024:4 - modificationTime: 2019-12-03T11:40:45.776329Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch - version: =0.2.0 - - comments: [] - id: patch:npm:ms:20151024:3 - modificationTime: 2019-12-03T11:40:45.775292Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch - version: =0.3.0 - - comments: [] - id: patch:npm:ms:20151024:2 - modificationTime: 2019-12-03T11:40:45.774221Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch - version: <0.6.0 >0.3.0 - - comments: [] - id: patch:npm:ms:20151024:1 - modificationTime: 2019-12-03T11:40:45.773094Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch - version: <0.7.0 >=0.6.0 - - comments: [] - id: patch:npm:ms:20151024:0 - modificationTime: 2019-12-03T11:40:45.772009Z - urls: - - https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch - version: =0.7.0 - upgradePath: - - ms@0.7.1 - licenses: [] - dependencyCount: 1 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: npm deprecated: false /test/npm: post: @@ -6370,216 +5959,6 @@ paths: id: 689ce7f9-7943-4a71-b704-2ba575f01089 licensesPolicy: null packageManager: golangdep - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 - url: http://localhost:34612/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 - title: Insecure Randomness - type: vuln - description: "## Overview\n[github.com/satori/go.uuid](https://github.com/satori/go.uuid) provides pure Go implementation of Universally Unique Identifier (UUID).\r\n\r\nAffected versions of this package are vulnerable to Insecure Randomness producing predictable `UUID` identifiers due to the limited number of bytes read when using the `g.rand.Read` function.\r\n \r\n## Disclosure Timeline\r\n* Jun 3th, 2018 - The vulnerability introduced by replacing the function `rand.Read()` with the function `g.rand.Read()` (https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c)\r\n* Mar 23th, 2018- An issue was reported.\r\n* Oct 16th, 2018 Issue fixed\r\n\r\n## Remediation\r\nA fix was merged into the master branch but not yet published.\n\n## References\n- [GitHub Commit](https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45)\n- [Github Issue](https://github.com/satori/go.uuid/issues/73)\n" - functions: [] - from: - - github.com/satori/go.uuid@v1.2.0 - package: github.com/satori/go.uuid - version: v1.2.0 - severity: high - exploitMaturity: no-known-exploit - language: golang - packageManager: golang - semver: - hashesRange: - - '>=0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c =0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/json/scanner@v1.0.0 - package: github.com/hashicorp/hcl/json/scanner - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/json/parser@v1.0.0 - package: github.com/hashicorp/hcl/json/parser - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/token@v1.0.0 - package: github.com/hashicorp/hcl/hcl/token - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/strconv@v1.0.0 - package: github.com/hashicorp/hcl/hcl/strconv - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/scanner@v1.0.0 - package: github.com/hashicorp/hcl/hcl/scanner - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/printer@v1.0.0 - package: github.com/hashicorp/hcl/hcl/printer - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/parser@v1.0.0 - package: github.com/hashicorp/hcl/hcl/parser - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/ast@v1.0.0 - package: github.com/hashicorp/hcl/hcl/ast - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl@v1.0.0 - package: github.com/hashicorp/hcl - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - dependencyCount: 101 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: golangdep deprecated: false /test/govendor: post: @@ -7008,380 +6387,6 @@ paths: id: 689ce7f9-7943-4a71-b704-2ba575f01089 licensesPolicy: null packageManager: govendor - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-GOLANG-GITHUBCOMDOCKERLIBCONTAINER-50012 - url: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDOCKERLIBCONTAINER-50012 - title: Symlink Attack - type: vuln - description: > - ## Overview - - Affected version of [`github.com/docker/libcontainer`](https://github.com/docker/libcontainer) are vulnerable to Symlink Attacks. - - Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. - - - ## References - - - [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3627) - - - [GitHub Commit](https://github.com/docker/libcontainer/commit/46132cebcf391b56842f5cf9b247d508c59bc625) - - - [Packetstorm Security](http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html) - - - [Seclists](http://seclists.org/fulldisclosure/2015/May/28) - - - [Docker Security Advisory](https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ) - functions: [] - from: - - github.com/docker/libcontainer@v1.4.0 - package: github.com/docker/libcontainer - version: v1.4.0 - severity: critical - exploitMaturity: no-known-exploit - language: golang - packageManager: golang - semver: - hashesRange: - - '>=5c246d038fc47b8d57a474e1b212ffe646764ee9 <46132cebcf391b56842f5cf9b247d508c59bc625' - vulnerable: - - <1.6.1 - vulnerableHashes: - - cab4b9bce1bece1b6c575e1826f3e5b221faebf3 - - 4a72e540feb67091156b907c4700e580a99f5a9d - - eb74393a3d2daeafbef4f5f27c0821cbdd67559c - - 4332ffcfc6765245e8e9151a2907b0e4b76f218f - - 7eceabd47f41328d6e894418ae167ce8377bda22 - - ecace12e5a3e309d82c5b3b1548a3251b3bc4e2a - - afb167a417ed8379c008b070fb5c0b1bc84bbcba - - 2b4512809110033e5ec532167efd6fabf2dd596d - - c2403c32dbf8a67870ab2ba7524c117fc0652256 - - 4077c254a6ac99930d720a9b95709dbd2614bc61 - - 1b755bf962ec1d29e9e5e66e2cc15704fac088e7 - - 1c9de5b4d21b94499a1e91c9b94ba06831ac5393 - - e3184f97e040c3121502dc382d41ac58a98b685a - - 0dee9793d5efd9842a2e8890fa0f8981d20b196e - - 3e9299d6da5749b263fc3dc93d50b5c854fa199c - - 152107f44ae9e38b38609fdbc75ac6f9f56c4fed - - 623fe598e4d5e75e70440f45298eecec414788b3 - - e30793aed7a30772054abfb1b3f3f703f119b55b - - 0596e6384a586223c56c5ea7d14467ebf5d17247 - - 42fed751fbab3f340461d06edb896cd10cd49812 - - e451df796aaa605413a0b84ddd1bf39ec4a751a0 - - b0eece8d7d945e1e7fc98c2ae3b7dd0a860a7c2a - - 5c246d038fc47b8d57a474e1b212ffe646764ee9 - - bfa67ab988f434fd6836c1868eb5d7d1d7864e8a - - 9bebc660423ca974192599a6a5ea8e016a6fe1fc - - e22b58954324b3593737438032412f15ed9602e9 - - af371eae767ceb51b8804f212bf97584d876feb3 - - f61899ece3fc1da206a0eb28fada0595ab381887 - - 0d0402712b5a13d1b54a345a63ec67982e2e0089 - - d1ae7cd67310f482af22de3abeb26d28e65274bf - - 9f2c67332f48c0050846ac86e01cb5dadbd1d8fe - - 62bdfc482d8edaa618b544fb2beafdf0c44dce5e - - 699429e60f23ab0fa3bdd97b6326316be08791ad - - 35c01f9eb3c228201a3fc5d2301d1fc7a00bde13 - - a72f710d89eaabf23dad7c084082bccb26e6336f - - eb84dd1b73df035e6e64c8513daaa476c72dedfc - - 5b73860e65598203b26d57aabc96ae0f52c9f9ab - - d64cfe5c05448935c75c92f65d604c751bbf5153 - - 62626677876330d60fe3512f59f1fd8f82799ca5 - - 43842efeccbd8077dba8f85fc9e772e0647b82cb - - d6cd7ce43faa53d212052dbbcf209029ec2ec951 - - ebefcddc3c4b99ae312ac575c288856e177ed6ef - - 83add60f217d32561ff0ff62ebf1d6db6a2a11a3 - - 14af6755f04233fbe55cb354a9351fe05afd43a0 - - 8530167f7f5b5eb329f5377b6b74a904482a10ed - - 000d36e109f5d04bad5342bb779e02b2b9b252f7 - - 1db687f4f480c06e6cadfdb0971985df4313ddc7 - - 689e8ec9493a4294856dc1568f5ef667e106707c - - 0eb8a1aac3d903b3c7925208c34f09c02910e7aa - - edb31ce0a6fd7956bffc0829000c60bdd56b9f32 - - 53fce307557cbffdbc54647ef63956b2cb0cee86 - - c22d5c90cf907f4f34d2bc13cad9c82a7fce9077 - - ef1c1c4289559e818d3ec77ce9c1b6a77d2ac764 - - 2da44f8c7b703f87e9c07164c9cc1cdd31031783 - - ee102305fb35a23668136b102ed4d0dd5b3d9ce5 - - 3ca0e1ff95c54577c65b5fbb734c267c23782974 - - f115a5f6c8c2a3cc6340408e6644236a88dcaad0 - - 29ba9b3179d014cc87129af5c51b1263443f387b - - c1ca18404fa63209e0a65abf443669155991b4df - - 5bb81469895d669ddcb4b49e83809a980d57d6b1 - - 6feb7bda04b3130e81cf9606ddb7a156d4a63f7a - - 7c8550af53b4d428d8f3a7c19c0c4a8ebca8ff21 - - 7766c1e07bd49fdc290f0557268950d35b867823 - - 4903df2ed52a01f08626739ad35937752de82a09 - - 58feafa848d9657dda34e5ccc3a196e359566bda - - 9e787db1b108941edab18209a7468e6c555002ce - - e7953c3609b62a25b0bfedcd9d3885ca1b99d2fb - - 8c3b6b18689796bc9625258258e8664746b24e85 - - dd3cb8822352fd4acc0b8b426bd86e47e98f6853 - - cc524f1b729cb5d7592d0a0b07cb3ff1fe6eda98 - - c22ac4876f0a218584ae862900f3058470be38a3 - - c1fb904d1047359e8c4dadafaa0ab065efe9e03e - - 1f176f3c0dae283d66df5360de8a93ec14b4fbd0 - - 50f0faa795dc62773857a0cc3cfb6d5681ba3562 - - 3fbf1856025f54b6eab6e73b7ff8aa4d1020e1c1 - - f4a4391e4ef7e886e56816ae59cbe99d8cff91d9 - - 2d9ef3af72e89ad9df164bd0f435371aa4fa0dea - - 187792e35bb47c89fdfe34409162c814627daacc - - b322073f27b0e9e60b2ab07eff7f4e96a24cb3f9 - - f78bf211f023d28392c6aa0d1934bb1001b3a180 - - 20af7e70e2511b4da0e035bf2fa2d6295f198970 - - f8eb40433c4a8617a20ad36119973af6f9dd2cd0 - - d7dea0e925315bab640115053204c16718839b1e - - 295c70865d10d7c57ba13cbef45c1d276ebfa83e - - 5a87153824b838be92503b57e76e96519b84b522 - - fec4c5ab0a75d7e6a46955bda0818bed7f8fecf3 - - 6a76ecb1ce53d9e623826b238033b86f072395a9 - - 2c037b7fd98e1c03e0c67ceccfd8e3300457e07e - - 4ce8d973204ebace2970c662f6f841ab11a3cc13 - - 870119e763b5976d7331fbd8656ed65207ba95ad - - 58fc93160e03387a4f41dcf4aed2e376c4a92db4 - - a3b0209cc61301941810e54bc3678ccff9af71c1 - - ec005e73b9169d17651618b91836a5d86eb7b24c - - 2fac2dad91e390acb8937ede6154c265b7011cf9 - - 0195469398f4fc1d42c0c20172b51e03ccf9ff1a - - 8d0b06257ba659ee91fa3862ed358cecbee37f73 - - 6516e6ce8c7c71e44f95332ef740ea4082cfee39 - - 55d61e22c5e0e4dc00c99847ba20a8ffa1e3a3d4 - - ca73d7aede7eaa05f4a0acb4bd5cb17a9408cd27 - - 43fabe36d18fa36326d9e5efd2cca8b9376a7fdf - - c06f92353f4f74cdb1c66ee0bbae1cdbb46934ce - - d6fae7bb26807a386f5dd9a1ec2dc5ac51c24498 - - bde8bf2ebc5630399c7d0965f58b502100180400 - - 444cc2989aca50986b45a56bfd8a32bd7ea23c1c - - f5dfd9a702ad163be35023fe08c9573a614d6121 - - 6c2f20eeeca488b98a613e013712d7c9a3d1e619 - - cc42996625afaf38d281f2457b08551a3df0d7bc - - 903680701ad5cf25484d0ac3e78152807dfa90b3 - - 69228248334a576549a9af9df389b3cbfe0c211c - - 6460fd79667466d2d9ec03f77f319a241c58d40b - - 7d9244eab20fc96230636a066f88ad5165c34bc7 - - 9387ebb6ba5fca526aedb54c7df684102639caa3 - - b21b19e0607582cceb8d715b85d27ec113a0b799 - - c4821b6f3e0a41af6bf3ed1cfa168c13381b9554 - - 397b675315d00a34a09f058dd7e462af6f715da3 - - c504f85aabbff0d7380ca9da3f6051c56905c7c0 - - 0f8f0601ae5668510ab7bde03041dafd39b18ec6 - - c3ab8d0cb4b439b7691edf7b63fcecd169834250 - - 22df5551ed7367eb9cbb0cc22aea46351d2495ad - - d284fdfaa36d37cbba5749562d6f9303ebab7d2f - - a9a503082e492575be352c9c82040c1f4ed468d1 - - 5fedffd8fd387b24b25186622c9566325ab3db1b - - dc827aa0ee51829d292524fdf3a7a163feadabe2 - - f925aa3503eeba9d372c74d1fe2b17c8ecd97960 - - bc1d229dbe94a0100f4530b47e9c918f27b8cecd - - 71a57166c1209103dcd4355d21c161bd0f09e481 - - a9644c209f7764f9155db0c4aeb4f690c0cdb585 - - bcfdee970e8a32d04b472cd2c5712e10a5e425fe - - 3c474b9e2aad7c577faefca6c35a8512140c0c65 - - c34b3d5ce90a6b2828d5b97f553f4b49f64081af - - 286fffa4eeda7745f3b36dc938dae3e155d1b204 - - d1f0d5705debbe4d4b1aed7e087d5c49300eb271 - - 08fdb50b03dc810ca8c4386f4f8271a8d51d4445 - - c44ab12c86689065978950d2ed92bb131b2a932c - - 5df859ad240af502aebef01ca28da3ef24951e05 - - ef4efd065cb6c136c7fcbdd65285cff549b745ac - - 2f1b2ce204490854938fab57142b557caa4ab66d - - a36d471a0ef4e119ecfb41257aad246464024a40 - - 83663f82e3d76f57ea57faf80b8fd7eb96933b9b - - e8f5b543010eb0db146fd2593284ed19af93eccd - - c8512754166539461fd860451ff1a0af7491c197 - - dc4c502efd85727abfed95af7789caa7f10d020d - - 4940cee052ece5a8b2ea477699e7bb232de1e1f8 - - 025e6be6c5dc3d535286461088416afa74c42927 - - b4cda7a6cabf1966daf67f291c2c41ff9a1369f4 - - 074441b495052c456f4b96524bd7a80d00db42e8 - - 5847aacb32742fd734fa2c0584cae65636bba370 - - f9590b0927744d22ad0e1b737eecd07a48bb4c2f - - e05f807a8936b4491632290f13958ca26d0aaace - - fd0087d3acdc4c5865de1829d4accee5e3ebb658 - - 38f729e577e07b2c3333ed4b04146e1d64f665a8 - - 8a8eb57746e5372080a5f5e5b6fb9dce178c8220 - - afa8443118347a1f909941aec2732039d28a9034 - - d6eb76f8a2184688489fc3a611d80de36ef50877 - - 0f397d4e145fb4053792d42b3424dd2143fb23ad - - ba613c5a847ff30d312726eeff444714f8e31cde - - 445bebc1b16b1f2646a3cae841fe0e1266d79ada - - e2ed997ae5b675fc8e78e7d0f9e6918c8b87503c - - 3b95acdfa1e54de15cae2fc3083147a185a31792 - - cacc15360ec04abb4c45f918e83bf33203946e32 - - 09809b551ce9f05e96fc3055ae7a23329604415b - - 2a9511a0266afd48251609a03533094afe22fce2 - - b6cf7a6c8520fd21e75f8b3becec6dc355d844b0 - - fc3981ea5c10fb21cae6d6a8e78755be5b169999 - - dc34fe188385f42198997f6aedc170487c57c7eb - - e9f8f8528abef64b8e1b8bc046a008b009ab2417 - - fe9f7668957641a404b0d2c8850f104df591e7f2 - - 8da9c6878fa29f33dcfd74b1146d457a576d738a - - 4622c8ac9541790365eda22b6ce65d038f4026fe - - 3977c892e78d91a0c6d2a34fd2512a6c53c8d924 - - 1bd146ed82f771395f991851f7d896d9ae778f3c - - 77085907a44039fe1cf9fe24d9c7675aa53d2f9b - - 107bad0ee5141bb847257a6f57dff2469dd584da - - 2da159823d0a54756308e73dc0e58a420daffad4 - - 94fb37f5573e1484ba686b195079684cace18eb0 - - 5c6332687d5d7c902cdd954e4e6a107ed6c60848 - - 8b77eba9a6b506c71d1542d2fab1495249a7f7b6 - - da32455210de558c829f089e8c3a3d1ed8c34a5b - - e1c14b3ca245fd06ef538005cd3a250904be5b4c - - f0d1a8fc27830b899c5789ba2f80dfa9458792a4 - - 846e522ffc157c12ba244c2c8a2c6adb1ed789f7 - - 2a452c17aa2417cd89b5e25e8549f9e09c94a0dc - - 3cd416efe1e5b7d1679a20a91a73d757d481633b - - e0de51f53c6b2711f39f4f29eb58b63a9ebf2c5c - - f7837f4f717a9f09cf34fc325061ee8e38d1100a - - 13a5703d853fbd311e1fcfc5c95d459021781951 - - 2aebf7d849e47ca927de332b82983ba8fe03d062 - - 56bc1485df0ac0c2fe8ae5e0499e50a0580f2522 - - 8d0f911e1d9265a8f362a7a16b893f7c40aee434 - - dc82e30089dbba31a1d0cf459321486a9b546fa0 - - 4d863b7bd0d7da6ca1108031fd7d7997bf504496 - - 73ba097bf596249068513559225d6e18c1767b47 - - da109f3af037352af24f935b1ea57ba8a7f26cad - - 3c52181f613353cc3b8aefbbf637c15a11cb8242 - - c96cde4e5db0da7e798e2712c2312f2468720a98 - - 52a8c004ca94cf98f6866536de828c71eb42d1ec - - b89112c542edcc9cf5af75694c16af28a3e4f12b - - c099a20eb8bd084c17d9348bd0f6bef066ea514f - - 8067e34ec01588d2952d57e21c8c637fd3d3d114 - - 9d4f6b3d3d4feba35ea13097be415bf099b670ce - - 334b1963711b743bf014502c5513a82a23eb65cc - - 190e50b08dbd72fd1d9f21f20581fa27a498481c - - 4c43b0f49880840966cb5df13abeeb19aa8e16d7 - - 9946e299af9e911a54c83626f245dff20127e442 - - 9825a26db570697e058a4580ec3b71ab3d82fc24 - - f8daab8a96fe2c73974073696d00deb4ffb40d47 - - 88989e66d3a1ab960deb37f3dd7f824d85e1b9bc - - c5eef904604b7e22083927bb99ea0c196d4cb8b9 - - 4661c239dc6394aba960ba73144f2a7e3859537f - - 9303a8f15f6e55931a08542636922c1bf041ad52 - - 9d91f080ced0bbfcbd3c003e2a20c9cdc81bc4ff - - 99233fde8c4f58853a474a5831ef0bcf6bf866c5 - - 14a7d2f468404e25577dced6982248e80ddce79a - - b6a1b889852cd6b365833ce2b04a0c1092867f75 - - 5d6c507d7cfeff97172deedf3db13b5295bcacef - - b89cd0cf5cf5deec2ed6fdc0d8ed4e4f3167aeb4 - - be02944484da197166020d6b3f08a19d7d7d244c - - c37b9125ecaad0c100b6851baacf97adfa2339d6 - - 045e9ae4a0fa8bff397b3c4f2614a3e609e6dd66 - - 9744d72c740dd8cdfbb8cb4c58fb235355e0a0b4 - - 74005ed4e0cdbc87ce40c6b79edfd599ba2355e9 - - 1d7207079fc6ab5b2cbfedda3fc8993bc4441b02 - - 8961fd20e6e213bf967db90166e24d38da065807 - - dd5576b2b3f5667811f882d1f64a11e13164791a - - 8600e6f3158bafe927706f0613c1520971d16c32 - - e9c1b0144ae784df9d26f59bfadd8cb2fc3a1d69 - - 6423c8d2613e5130e9c37620773d2173c76f0acd - - b48acf4613cc5347ca10b6d6edd6e1b94a5378c4 - - 6c285c1d4964662ac64f0b98620d154caf423d79 - - 312f997de638b8c18f92a59596a984bdb1a06a4e - - 11d14f2621370a527d2401c8bba10d2408819131 - - a6044b701c166fe538fc760f9e2dcea3d737cd2a - - 91a3f162afc90339b1d8f8d2f22d9c4271eddb84 - - 54301f55934f42598b8f7c88effc4bd588e5f3e7 - - 29f5cb6b391eea625c512df1f2ae7d9efccfbae9 - - 087caf69e8cabd8f1f66f6239079b60172c9fb78 - - 21ed4766b1523373b0463af497ef1c6b3b98c2ca - - 30b33064169e09e1c5daacb38ed461ed5820d0d2 - - a8a798a7c9b1da5beea8acfec16409d015ad85a7 - - a4f2e1e1878c1ce541aec24e6e2a690855cc8003 - - d06a2dab9f185c8cd2c21c0c97342cbdb7b9f38b - - 12a63757dbde3b0be25b49bc9e7625059088d319 - - 35ae1c48710ff5a4db20645bc98c719cfb695b9a - - 85cd86999f70339509692b92cf182ec36697edcf - - 10d49f830b52ed05d9b41e18c8e1ff4a44a85fb3 - - 3f35b26b8b2dcd856b12b985f9091260d5c5bd71 - - 1a37242fa2af5db30ea72b95f948285efcd63d52 - - b49bd705dcddd496aedb6e797ce8691d276236af - - eb2ae34c80f6b8ffb1bdfc55287d967c6e18cd81 - - 39fbf0a90423a1e6e31c6c042acd9aea00793a18 - - d658fb8a2566cab11600af4db164c5f1f8656116 - - f4cf808a3d184c556a51cd53d98a2f4ea05acee4 - - bdff595cad6a42ba9675f99505bebecdb28209f0 - - 9377591781a5346ed84517688787c305ed6554c4 - - 19099e065da7c810f93e83d68c0776c2336e5e03 - - a1ac9b101571477a81e1cb3c6999f818bbbf0738 - - 54968f68bc2ba50f59a66fba9f6823215a0bc4f6 - - 9455a8ce3aaccceb4c282ef6c84d7edb36dd0d4c - - 21c344a479a8fd359a9c875f3056a7e72fe4d5fb - - 00abcf89d9ad026ddce4af0038db7953b01d8b8b - - 1a246dd54326124df57cb0e8e051f57abb549c9f - - 07db66a6ef857edee2c731d1b66f42a4f32d9622 - - d4867a6583c17001a60590684d91237a580e786a - - 46573774a27c7a4d20d508f1f07ba72d34616bc3 - - 9184d9473d7b5ecb0dddca4052171534523602be - - f6593810da73cf8e1cc982d9020850260fc1ff52 - - a9442e6660e71fd2058310e6155de3ef5e4f5fdf - - cee97cb0ccad90c369b10d6a9512d678a0535cac - - aaca2848a1e1eefa71ce2987b19abae2d34cf3aa - - 3125b53b1aef485ed2239d514b131ef80ad577c1 - - 2990f254f030e62ab15b9399e26368aa3e291d15 - - b19b8a9677ae9e657e0195ac85a4849a67729cf6 - - e3b14402ebded2a7ec8f38809bf907ac72692ede - - 37d229d0262b6fa7dfb96184eff3f7882ddd487e - - 8002fd226367c0882973c69673bf8379df2fc198 - - a1c3e0db94579f59cc821132f958187339e68d88 - - 4fdec5a8e10f95a5dbfd84cf382f2755f0342fda - - ef73d7e235c4d4ab41402835193ac9ba0c4cc485 - - ad3d14f1da33d00ee3506f12922fb3faf87b65d7 - - a1d509759b9195a1c022f2eb9585b74d07a0f084 - - b7e54b0b41757cd36dd03fb29367b385c5fa3be0 - - d909440c48b7b64b016478de1e6ee78e2faa9e13 - - 2ca9dc306e8c667eb9f00376898be52d8b980c88 - - 031524c73df6fd40b13e89c44e86d4a62d77075b - - 6fae0d4fa68a85a1d552c5ae3140dd39f7a05c88 - - fb27b4238cd6c33bd899e240ead4b5fb8a2a24b1 - - 0890cc54a92627c03119654c94c584a2e3c744ca - - 339edce03ed7fe59ec4a778abff243fa4cabaa23 - - 2329014b6dbc473326291fa6e101e6d63c4dbd25 - - 872663148e00c4d272fc67e8d369a5012ccbac5a - - 0e3b1262a168d51512014c4f7df6c37edce0f05d - - 606d9064b0a6abd82da3731fda9f1558ec1f153c - - 4bd39999a06fa1f710daae54c6cc8ca7d5784f58 - - 562cd20d05e0427e6b18daa279a3a5f3b08c889d - - 4bbd44784c7c4eede8e53011a2c4981c16598d1f - - dc4bd4cece9a6de7926e85a09f152fe4697a8bc5 - - 770e2583907fa38e2b78601a90799b6ae7ab15eb - - f34b3b765fb964dee979ac7646b6d609adbeb2ba - - aa10040b570386c1ae311c6245b9e21295b2b83a - - fff015f4094ab80ff2eb4978f8cdb3711187c50a - - 5b2be7d9d8444e0a5b706944c878cd0048ef026a - - 2cd0ee8cf21eecaa9d39d699692284be44cf6ca2 - - 451043367be65468dd96bbf5868af666b25f1663 - - 4fc29224cf362988a741dc07804225f730a326ec - - dd6bc28afb3bafdde93ad7ed9f58b3a0aec2be99 - - 1597c68f7b941fd97881155d7f077852e2914e7b - - e59984353acde7207aa1115e261847bf4ddd9a8f - - ee1000e153e1b7c8f223bb573bb8169d2033f4af - - 1d3b2589d734dc94a1719a3af40b87ed8319f329 - publicationTime: 2015-08-06T00:00:00Z - disclosureTime: 2015-05-18T15:59:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-3627 - CWE: - - CWE-59 - credit: - - Tõnis Tiigi - CVSSv3: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 8.4 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 28 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: govendor deprecated: false /test/yarn: post: @@ -7546,51 +6551,6 @@ paths: id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null packageManager: rubygems - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-RUBY-RAILSHTMLSANITIZER-22025 - url: https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-22025 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\n[rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer)\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications.\n\nThis issue is similar to [CVE-2018-8048](https://snyk.io/vuln/SNYK-RUBY-LOOFAH-22023) in Loofah.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `rails-html-sanitizer` to version 1.0.4 or higher.\n\n## References\n- [Ruby on Rails Security Google Forum](https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-3741)\n" - functions: [] - from: - - rails-html-sanitizer@1.0.3 - package: rails-html-sanitizer - version: 1.0.3 - severity: medium - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - <1.0.4 - publicationTime: 2018-03-27T07:42:10.777000Z - disclosureTime: 2018-03-22T21:46:15.453000Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-3741 - CWE: - - CWE-79 - credit: - - Kaarlo Haikonen - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: - - rails-html-sanitizer@1.0.4 - licenses: [] - dependencyCount: 5 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: rubygems deprecated: false /test/rubygems: post: @@ -8122,497 +7082,20 @@ paths: id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null packageManager: rubygems - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-RUBY-JSON-20000 - url: https://snyk.io/vuln/SNYK-RUBY-JSON-20000 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - - The [`json`](https://rubygems.org/gems/json) gem is a JSON implementation as a Ruby extension in C. - - Affected versions of this Gem contain an overflow condition. This is triggered when user-supplied input is not properly validated while handling specially crafted data. This can allow a remote attacker to cause a stack-based buffer overflow, resulting in a denial of service, or potentially allowing the [execution of arbitrary code](https://snyk.io/vuln/SNYK-RUBY-JSON-20209). - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. - - - - Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. - - - - One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. - - - - When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. - - - - Two common types of DoS vulnerabilities: - - - - * High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082). - - - - * Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108) - - - ## References - - - http://rubysec.com/advisories/OSVDB-101157 - functions: [] - from: - - json@1.0.0 - package: json - version: 1.0.0 - severity: high - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - < 1.1.0 - publicationTime: 2007-05-20T21:00:00Z - disclosureTime: 2007-05-20T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-400 - OSVDB: - - OSVDB-101157 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvssScore: 7.5 - patches: [] - upgradePath: - - json@1.1.0 - - id: SNYK-RUBY-JSON-20060 - url: https://snyk.io/vuln/SNYK-RUBY-JSON-20060 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - The [`json`](https://rubygems.org/gems/json) gem is a JSON implementation as a Ruby extension in C. - - Affected versions of this Gem are vulnerable to Denial of Service (DoS) attacks and unsafe object creation vulnerabilities. When parsing certain JSON documents, the JSON gem tricked into creating Ruby symbols in a target system. - - - ## Details - - - When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. - - - The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. - - - Impacted code looks like this: - - ```js - - JSON.parse(user_input) - - ``` - - Where the `user_input` variable will have a JSON document like this: - - ```json - - {"json_class":"foo"} - - ``` - - The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol. - - - In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this: - - ```json - - {"json_class":"JSON::GenericObject","foo":"bar"} - - ``` - - This document will result in an instance of `JSON::GenericObject`, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures. - - - PLEASE NOTE: this behavior *does not change* when using `JSON.load`. `JSON.load` should *never* be given input from unknown sources. If you are processing JSON from an unknown source, *always* use `JSON.parse`. + deprecated: false + /test/gradle/{group}/{name}/{version}: + get: + tags: + - Test + summary: Test for issues in a public package by group, name and version + description: >- + Test for issues in Gradle files.You can test `gradle` packages for issues according to their group, name and version. This is done via the maven endpoint (for Java), since the packages are hosted on maven central or a compatible repository. See "Maven" above for details. - ## References + #### Required permissions - - https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ - - https://gist.github.com/rsierra/4943505 - functions: [] - from: - - json@1.0.0 - package: json - version: 1.0.0 - severity: high - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - < 1.7.7, >= 1.7 - - < 1.6.8, >= 1.6 - - < 1.5.5 - publicationTime: 2013-02-10T22:00:00Z - disclosureTime: 2013-02-10T22:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2013-0269 - CWE: - - CWE-400 - OSVDB: - - OSVDB-90074 - credit: - - Thomas Hollstegge - - Ben Murphy - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: - - json@1.5.5 - - id: SNYK-RUBY-JSON-20209 - url: https://snyk.io/vuln/SNYK-RUBY-JSON-20209 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - The [`json`](https://rubygems.org/gems/json) gem is a JSON implementation as a Ruby extension in C. - - - Affected versions of this Gem contain an overflow condition. This is triggered when user-supplied input is not properly validated while handling specially crafted data. This can allow a remote attacker to cause a stack-based buffer overflow, resulting in a [denial of service](https://snyk.io/vuln/SNYK-RUBY-JSON-20000), or potentially allowing the execution of arbitrary code. - - - ## References - - - - http://rubysec.com/advisories/OSVDB-101157 - functions: [] - from: - - json@1.0.0 - package: json - version: 1.0.0 - severity: high - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - < 1.1.0 - publicationTime: 2007-05-20T21:00:00Z - disclosureTime: 2007-05-20T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-94 - OSVDB: - - OSVDB-101157-1 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvssScore: 7.5 - patches: [] - upgradePath: - - json@1.1.0 - - id: SNYK-RUBY-RACK-538324 - url: https://snyk.io/vuln/SNYK-RUBY-RACK-538324 - title: Information Exposure - type: vuln - description: > - ## Overview - - - [rack](https://rack.github.io/) is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. - - - - Affected versions of this package are vulnerable to Information Exposure. - - Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. - - - ## Remediation - - - Upgrade `rack` to version 1.6.12, 2.0.8 or higher. - - - - ## References - - - - [GitHub Fix Commit](https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38) - - - - [GitHub Security Advisory](https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3) - functions: [] - from: - - redis-rack-cache@1.1 - - rack-cache@1.1 - - rack@2.0.1 - package: rack - version: 2.0.1 - severity: medium - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - <1.6.12 - - '>=2.0.0.alpha, <2.0.8' - publicationTime: 2019-12-19T20:24:49Z - disclosureTime: 2019-12-18T20:24:49Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2019-16782 - CWE: - - CWE-200 - credit: - - Will Leinweber - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: - - redis-rack-cache@1.1 - - rack-cache@1.1 - - rack@2.0.8 - - id: SNYK-RUBY-RACK-72567 - url: https://snyk.io/vuln/SNYK-RUBY-RACK-72567 - title: Cross-site Scripting (XSS) - type: vuln - description: > - ## Overview - - - [rack](https://rack.github.io/) is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. - - - - Affected versions of this package are vulnerable to Cross-site Scripting (XSS) - - via the `scheme` method on `Rack::Request`. - - - ## Remediation - - - Upgrade `rack` to version 1.6.11, 2.0.6 or higher. - - - - ## References - - - - [GitHub Commit](https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7) - - - - [Google Security Forum](https://groups.google.com/forum/#!msg/rubyonrails-security/GKsAFT924Ag/DYtk-Xl6AAAJ) - - - - [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1646818) - functions: [] - from: - - redis-rack-cache@1.1 - - rack-cache@1.1 - - rack@2.0.1 - package: rack - version: 2.0.1 - severity: medium - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - <1.6.11 - - '>=2.0.0, <2.0.6' - publicationTime: 2018-11-06T16:08:37Z - disclosureTime: 2018-08-22T15:56:49Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-16470 - CWE: - - CWE-79 - credit: - - Aaron Patterson - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: - - redis-rack-cache@1.1 - - rack-cache@1.1 - - rack@2.0.6 - - id: SNYK-RUBY-RACKCACHE-20031 - url: https://snyk.io/vuln/SNYK-RUBY-RACKCACHE-20031 - title: HTTP Header Caching Weakness - type: vuln - description: > - ## Overview - - [rack-cache](https://rubygems.org/gems/rack-cache) enables HTTP caching for Rack-based applications. - - Affected versions of this gem contain a flaw related to the rubygem caching sensitive HTTP headers. This will result in a weakness that may make it easier for an attacker to gain access to a user's session via a specially crafted header. - - - ## References - - - http://rubysec.com/advisories/CVE-2012-2671 - functions: [] - from: - - redis-rack-cache@1.1 - - rack-cache@1.1 - package: rack-cache - version: '1.1' - severity: high - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - < 1.2 - publicationTime: 2012-06-05T21:00:00Z - disclosureTime: 2012-06-05T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2012-2671 - CWE: - - CWE-444 - OSVDB: - - OSVDB-83077 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: - - redis-rack-cache@1.2 - - rack-cache@1.2 - - id: SNYK-RUBY-REDISSTORE-20452 - url: https://snyk.io/vuln/SNYK-RUBY-REDISSTORE-20452 - title: Deserialization of Untrusted Data - type: vuln - description: > - ## Overview - - [`redis-store`](https://rubygems.org/gems/redis-store) is a namespaced Rack::Session, Rack::Cache, I18n and cache Redis stores for Ruby web frameworks. - - - Affected versions of the package are vulnerable to Deserialization of Untrusted Data. - - - # Details - - Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc. - - - _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution. - - - An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed. - - - ## Remediation - - Upgrade `redis-store` to version 1.4.0 or higher. - - - ## References - - - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-1000248) - - - [GitHub PR](https://github.com/redis-store/redis-store/pull/290) - - - [GitHub Issue](https://github.com/redis-store/redis-store/issues/289) - - - [GitHub Commit](https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e) - functions: [] - from: - - redis-rack-cache@1.1 - - redis-store@1.1.0 - package: redis-store - version: 1.1.0 - severity: critical - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - <1.4.0 - publicationTime: 2017-12-07T09:52:33.659000Z - disclosureTime: 2017-08-10T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-1000248 - CWE: - - CWE-502 - credit: - - Dylan Katz - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - redis-rack-cache@2.0.2 - - redis-store@1.4.0 - licenses: [] - dependencyCount: 6 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: rubygems - deprecated: false - /test/gradle/{group}/{name}/{version}: - get: - tags: - - Test - summary: Test for issues in a public package by group, name and version - description: >- - Test for issues in Gradle files.You can test `gradle` packages for issues according to their group, name and version. This is done via the maven endpoint (for Java), since the packages are hosted on maven central or a compatible repository. See "Maven" above for details. - - - #### Required permissions - - - - `View Organization` + - `View Organization` - `Test Packages` @@ -8818,147 +7301,6 @@ paths: id: 689ce7f9-7943-4a71-b704-2ba575f01089 licensesPolicy: null packageManager: maven - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) - functions: [] - from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-5641 - CWE: - - CWE-502 - credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 - licenses: [] - dependencyCount: 1 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: maven deprecated: false /test/gradle: post: @@ -9134,119 +7476,6 @@ paths: id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null packageManager: gradle - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-AXIS-30071 - url: https://snyk.io/vuln/SNYK-JAVA-AXIS-30071 - title: Man-in-the-Middle (MitM) - type: vuln - description: "## Overview\n\n[axis:axis](https://search.maven.org/search?q=g:axis) is an implementation of the SOAP (\"Simple Object Access Protocol\") submission to W3C.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nIt does not verify the requesting server's hostname against existing domain names in the SSL Certificate. \r\n\r\n## Details\r\nThe `getCN` function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's `Common Name (CN)` or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. \r\n\r\n**NOTE:** this issue exists because of an incomplete fix for [CVE-2012-5784](https://snyk.io/vuln/SNYK-JAVA-AXIS-30189).\n\n## Remediation\n\nThere is no fixed version for `axis:axis`.\n\n\n## References\n\n- [Axis Issue](https://issues.apache.org/jira/browse/AXIS-2905)\n\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596)\n\n- [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596)\n" - functions: [] - from: - - axis:axis@1.4 - package: axis:axis - version: '1.4' - severity: medium - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[0,]' - publicationTime: 2014-08-18T16:51:53Z - disclosureTime: 2014-08-18T16:51:53Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-3596 - CWE: - - CWE-297 - credit: - - David Jorm - - Arun Neelicattu - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - cvssScore: 5.4 - patches: [] - upgradePath: [] - - id: SNYK-JAVA-AXIS-30189 - url: https://snyk.io/vuln/SNYK-JAVA-AXIS-30189 - title: Man-in-the-Middle (MitM) - type: vuln - description: > - ## Overview - - - [axis:axis](https://search.maven.org/search?q=g:axis) is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. - - - - Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). - - It does not verify the requesting server's hostname against existing domain names in the SSL Certificate. - - - - ## Details - - Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's `Common Name (CN)` or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. - - - ## Remediation - - - There is no fixed version for `axis:axis`. - - - - ## References - - - - [Jira Issue](https://issues.apache.org/jira/browse/AXIS-2883) - - - - [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784) - - - - [Texas University](http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) - functions: [] - from: - - axis:axis@1.4 - package: axis:axis - version: '1.4' - severity: medium - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[0,]' - publicationTime: 2017-03-13T08:00:21Z - disclosureTime: 2012-11-04T22:55:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2012-5784 - CWE: - - CWE-20 - credit: - - Alberto Fernández - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - cvssScore: 5.4 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 6 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: gradle deprecated: false /test/sbt/{groupId}/{artifactId}/{version}: get: @@ -9466,147 +7695,6 @@ paths: id: 689ce7f9-7943-4a71-b704-2ba575f01089 licensesPolicy: null packageManager: maven - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) - functions: [] - from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-5641 - CWE: - - CWE-502 - credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 - licenses: [] - dependencyCount: 1 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: maven deprecated: false /test/sbt: post: @@ -9831,107 +7919,6 @@ paths: id: 229b76f3-802c-4553-aa1d-01d4d86f7f61 licensesPolicy: null packageManager: pip - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-PYTHON-RSA-40541 - url: https://snyk.io/vuln/SNYK-PYTHON-RSA-40541 - title: Timing Attack - type: vuln - description: > - ## Overview - - [`rsa`](https://pypi.python.org/pypi/rsa) is a Pure-Python RSA implementation. - - - Affected versions of this package are vulnerable to Timing attacks. - - - ## References - - - [GitHub Issue](https://github.com/sybrenstuvel/python-rsa/issues/19) - - - [GitHub Commit](https://github.com/sybrenstuvel/python-rsa/commit/2310b34bdb530e0bad793d42f589c9f848ff181b) - functions: [] - from: - - rsa@3.3 - package: rsa - version: '3.3' - severity: medium - exploitMaturity: no-known-exploit - language: python - packageManager: pip - semver: - vulnerable: - - '[3.0,3.4.0)' - publicationTime: 2013-11-15T02:34:45.265000Z - disclosureTime: 2013-11-15T02:34:45.265000Z - isUpgradable: false - isPatchable: false - isPinnable: true - identifiers: - CVE: [] - CWE: - - CWE-208 - credit: - - Manuel Aude Morales - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PYTHON-RSA-40542 - url: https://snyk.io/vuln/SNYK-PYTHON-RSA-40542 - title: Authentication Bypass - type: vuln - description: > - ## Overview - - [`rsa`](https://pypi.python.org/pypi/rsa) is a Pure-Python RSA implementation. - - - Affected versions of this package are vulnerable to Authentication Bypass due to not implementing authentication encryption or use MACs to validate messages before decrypting public key encrypted messages. - - - ## References - - - [GitHub Issue](https://github.com/sybrenstuvel/python-rsa/issues/13) - - - [GitHub Commit](https://github.com/sybrenstuvel/python-rsa/commit/1681a0b2f84a4a252c71b87de870a2816de06fdf) - functions: [] - from: - - rsa@3.3 - package: rsa - version: '3.3' - severity: high - exploitMaturity: no-known-exploit - language: python - packageManager: pip - semver: - vulnerable: - - '[3.0,3.4)' - publicationTime: 2012-12-07T03:15:00.052000Z - disclosureTime: 2012-12-07T03:15:00.052000Z - isUpgradable: false - isPatchable: false - isPinnable: true - identifiers: - CVE: [] - CWE: - - CWE-287 - credit: - - Sergio Lerner - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvssScore: 7.5 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 2 - org: - name: gitphill - id: 229b76f3-802c-4553-aa1d-01d4d86f7f61 - licensesPolicy: null - packageManager: pip deprecated: false /test/pip: post: @@ -10256,276 +8243,6 @@ paths: id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null packageManager: pip - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-PYTHON-OAUTH2-40013 - url: https://snyk.io/vuln/SNYK-PYTHON-OAUTH2-40013 - title: Replay Attack - type: vuln - description: >+ - ## Overview - - [`oauth2`](https://pypi.python.org/pypi/oauth2) is a library for OAuth version 1.9 - - The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. - - - - ## Remediation - - Upgrade to version `1.9rc1` or greater. - - - - ## References - - - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2013-4346) - - - [Bugzilla redhat](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4346) - - - [GitHub Issue](https://github.com/simplegeo/python-oauth2/issues/129) - - functions: [] - from: - - oauth2@1.5.211 - package: oauth2 - version: 1.5.211 - severity: medium - exploitMaturity: no-known-exploit - language: python - packageManager: pip - semver: - vulnerable: - - '[,1.9rc1)' - publicationTime: 2013-02-05T12:31:58Z - disclosureTime: 2013-02-05T12:31:58Z - isUpgradable: false - isPatchable: false - isPinnable: true - identifiers: - CVE: - - CVE-2013-4346 - CWE: - - CWE-310 - credit: - - André Cruz - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - cvssScore: 4.3 - patches: [] - upgradePath: [] - - id: SNYK-PYTHON-OAUTH2-40014 - url: https://snyk.io/vuln/SNYK-PYTHON-OAUTH2-40014 - title: Insecure Randomness - type: vuln - description: >+ - ## Overview - - [`oauth2`](https://pypi.python.org/pypi/oauth2) is a library for OAuth version 1.9 - - - - Affected versions of this package are vulnerable to Insecure Randomness. - - The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack. - - - - ## Remediation - - Upgrade to version `1.9rc1` or greater. - - - - ## References - - - [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4347) - - - [GitHub Issue](https://github.com/simplegeo/python-oauth2/issues/9) - - - [Openwall](http://www.openwall.com/lists/oss-security/2013/09/12/7) - - - [GitHub PR](https://github.com/simplegeo/python-oauth2/pull/146) - - functions: [] - from: - - oauth2@1.5.211 - package: oauth2 - version: 1.5.211 - severity: medium - exploitMaturity: no-known-exploit - language: python - packageManager: pip - semver: - vulnerable: - - '[,1.9rc1)' - publicationTime: 2017-04-13T12:31:58Z - disclosureTime: 2014-05-20T14:55:00Z - isUpgradable: false - isPatchable: false - isPinnable: true - identifiers: - CVE: - - CVE-2013-4347 - CWE: - - CWE-310 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - cvssScore: 5.4 - patches: [] - upgradePath: [] - - id: SNYK-PYTHON-SUPERVISOR-40610 - url: https://snyk.io/vuln/SNYK-PYTHON-SUPERVISOR-40610 - title: Arbitrary Command Execution - type: vuln - description: >- - ## Overview - - [`supervisor`](https://pypi.python.org/pypi/supervisor/) is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. - - - - Affected versions of the package are vulnerable to Arbitrary Command Execution. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to `supervisord` that will run arbitrary shell commands on the server. The commands will be run as the same user as `supervisord`. Depending on how `supervisord` has been configured, this may be root. - - - - ## Details - - * `supervisord` is the server component and is responsible for starting child processes, responding to commands from clients, and other commands. - - * `supervisorctl` is the command line component, providing a shell-like interface to the features provided by `supervisord`. - - - - `supervisord` can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. This HTTP server is how `supervisorctl` communicates with `supervisord`. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to `supervisord` that will run arbitrary shell commands on the server. The commands will be run as the same user as `supervisord`. Depending on how `supervisord` has been configured, this may be root. - - This vulnerability can only be exploited by an authenticated client or if `supervisord` has been configured to run an HTTP server without authentication. If authentication has not been enabled, `supervisord` will log a message at the critical level every time it starts. - - - - ## PoC by Maor Shwartz - - - - Create a config file `supervisord.conf`: - - - - ```conf - - [supervisord] - - loglevel = trace - - - - [inet_http_server] - - port = 127.0.0.1:9001 - - - - [rpcinterface:supervisor] - - supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - - ``` - - - - Start supervisord in the foreground with that config file: - - - - ``` - - $ supervisord -n -c supervisord.conf - - ``` - - - - In a new terminal: - - - - ```py - - $ python2 - - >>> from xmlrpclib import ServerProxy - - >>> server = ServerProxy('http://127.0.0.1:9001/RPC2') - - >>> server.supervisor.supervisord.options.execve('/bin/sh', [], {}) - - ``` - - - - If the `supervisord` version is vulnerable, the `execve` will be executed and the `supervisord` process will be replaced with /bin/sh (or any other command given). If the `supervisord` version is not vulnerable, it will return an `UNKNOWN_METHOD` fault. - - - - - - ## Remediation - - Upgrade `supervisor` to version 3.3.3 or higher. - - - - ## References - - - [Github Issue](https://github.com/Supervisor/supervisor/issues/964) - - - [Github Commit 3.0.1](https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0) - - - [Github Commit 3.1.4](https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88) - - - [Github Commit 3.2.4](https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e) - - - [Github Commit 3.3.3](https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e) - functions: [] - from: - - supervisor@3.1.0 - package: supervisor - version: 3.1.0 - severity: high - exploitMaturity: mature - language: python - packageManager: pip - semver: - vulnerable: - - '[3.0a1,3.0.1)' - - '[3.1.0,3.1.4)' - - '[3.2.0,3.2.4)' - - '[3.3.0,3.3.3)' - publicationTime: 2017-08-08T06:59:14Z - disclosureTime: 2017-07-18T21:00:00Z - isUpgradable: false - isPatchable: false - isPinnable: true - identifiers: - CVE: - - CVE-2017-11610 - CWE: - - CWE-94 - credit: - - Maor Shwartz - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C - cvssScore: 8.8 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 4 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: pip deprecated: false /test/composer: post: @@ -12954,2596 +10671,116 @@ paths: - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-10) functions: [] from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2, <2.4.9' - publicationTime: 2015-11-23T14:30:00Z - disclosureTime: 2015-11-23T14:30:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-7503 - CWE: - - CWE-200 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvssScore: 7.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Arbitrary Code Execution. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.4.11 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2016-04) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.11 - publicationTime: 2016-12-19T15:29:00Z - disclosureTime: 2016-12-19T15:29:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-94 - credit: - - Dawid Golunski - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 - title: Arbitrary URL Rewrite - type: vuln - description: "## Overview\n[zendframework/zendframework](https://packagist.org/packages/zendframework/zendframework) provides functionality for consuming RSS and Atom feeds.\n\nAffected versions of this package are vulnerable to Arbitrary URL Rewrite. The request URI marshaling process contains logic that inspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. \n\nWhen these headers are present on systems not running the specific URL rewriting mechanism, the URLs are subject to rewriting, allowing a malicious client or proxy to emulate the headers to request arbitrary content.\n\n## Remediation\nUpgrade `zendframework/zendframework` to version 2.5.0 or higher.\n\n## References\n- [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2018-01)\n" - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.5.0 - publicationTime: 2018-08-15T08:34:54.643000Z - disclosureTime: 2018-08-02T16:29:46.707000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-601 - credit: - - Drupal Security Team - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 31 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: composer - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-PHP-AWSAWSSDKPHP-70003 - url: https://snyk.io/vuln/SNYK-PHP-AWSAWSSDKPHP-70003 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - Affected versions of [`aws/aws-sdk-php`](https://packagist.org/packages/aws/aws-sdk-php) are vulnerable to Arbitrary Code Execution. - - Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code. - - - ## Remediation - - Upgrade `aws/aws-sdk-php` to version 3.2.1 or higher. - - - ## References - - - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2015-5723) - - - [Github ChangeLog](https://github.com/aws/aws-sdk-php/blob/master/CHANGELOG.md#321---2015-07-23) - functions: [] - from: - - aws/aws-sdk-php@3.0.0 - package: aws/aws-sdk-php - version: 3.0.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <3.2.1 - publicationTime: 2015-07-24T00:41:41Z - disclosureTime: 2015-07-24T00:41:41Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-5723 - CWE: - - CWE-264 - credit: - - Ryan Lane - CVSSv3: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvssScore: 7.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-DOCTRINECOMMON-70024 - url: https://snyk.io/vuln/SNYK-PHP-DOCTRINECOMMON-70024 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - Affected versions of [`doctrine/common`](https://packagist.org/packages/doctrine/common) are vulnerable to Arbitrary Code Execution. - - - Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code. - - - ## Remediation - - Upgrade `doctrine/common` to version 2.5.1, 2.4.3 or higher. - - - ## References - - - [Doctrine Release Notes](http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html) - functions: [] - from: - - doctrine/common@2.5.0 - package: doctrine/common - version: 2.5.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.3 - - '>=2.5.0, <2.5.1' - publicationTime: 2015-08-31T14:42:59Z - disclosureTime: 2015-08-31T14:42:59Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-5723 - CWE: - - CWE-94 - credit: - - Ryan Lane - CVSSv3: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvssScore: 7.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-DOCTRINECOMMON-70024 - url: https://snyk.io/vuln/SNYK-PHP-DOCTRINECOMMON-70024 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - Affected versions of [`doctrine/common`](https://packagist.org/packages/doctrine/common) are vulnerable to Arbitrary Code Execution. - - - Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code. - - - ## Remediation - - Upgrade `doctrine/common` to version 2.5.1, 2.4.3 or higher. - - - ## References - - - [Doctrine Release Notes](http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html) - functions: [] - from: - - symfony/symfony@2.3.1 - - doctrine/common@2.5.0 - package: doctrine/common - version: 2.5.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.3 - - '>=2.5.0, <2.5.1' - publicationTime: 2015-08-31T14:42:59Z - disclosureTime: 2015-08-31T14:42:59Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-5723 - CWE: - - CWE-94 - credit: - - Ryan Lane - CVSSv3: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvssScore: 7.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-173743 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-173743 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\n\n[symfony/symfony](https://packagist.org/packages/symfony/symfony) is a PHP framework for web applications and a set of reusable PHP components.\n\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS).\nA remote attacker could inject arbitrary web script or HTML via the \"file\" parameter in a URL.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\n\nUpgrade `symfony/symfony` to version 4.1 or higher.\n\n\n## References\n\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-12040)\n" - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <4.1 - publicationTime: 2018-06-14T00:35:49Z - disclosureTime: 2018-06-08T00:35:49Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-12040 - CWE: - - CWE-79 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-173744 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-173744 - title: Host Header Injection - type: vuln - description: > - ## Overview - - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a PHP framework for web applications and a set of reusable PHP components. - - - - Affected versions of this package are vulnerable to Host Header Injection. - - When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. - - - ## Remediation - - - Upgrade `symfony/symfony` to version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, 4.1.2 or higher. - - - - ## References - - - - [GitHub Commit](https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a) - - - - [GitHub Release Tag 4.1.3](https://github.com/symfony/symfony/releases/tag/v4.1.3) - - - - [Symphony Security Blog](https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.49 - - '>=2.8.0, <2.8.44' - - '>=3.3.0, <3.3.18' - - '>=3.4.0, <3.4.14' - - '>=4.0.0, <4.0.14' - - '>=4.1.0, <4.1.2' - publicationTime: 2018-08-05T13:44:27Z - disclosureTime: 2018-07-31T17:24:43Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-14774 - CWE: - - CWE-444 - credit: - - Chaosversum - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvssScore: 7.2 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-173745 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-173745 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\n\n[symfony/symfony](https://packagist.org/packages/symfony/symfony) is a PHP framework for web applications and a set of reusable PHP components.\n\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS)\nvia the content page.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\n\nUpgrade `symfony/symfony` to version 2.7.7 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0)\n\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-12043)\n" - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.7 - publicationTime: 2018-06-13T10:56:51Z - disclosureTime: 2018-06-07T21:05:47Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-12043 - CWE: - - CWE-79 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70207 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70207 - title: Loss of Information - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Loss of Information. - - - When using the Validator component, if Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache is enabled (or any other cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface), some information is lost during serialization (the collectionCascaded and the collectionCascadedDeeply fields). - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.3, 2.1.12, 2.2.5, 2.0.24 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: low - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.3' - - '>=2.1.0, <2.1.12' - - '>=2.2.0, <2.2.5' - - '>=2, <2.0.24' - publicationTime: 2013-08-17T07:55:32Z - disclosureTime: 2013-08-17T07:55:32Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2013-4751 - CWE: - - CWE-221 - credit: - - Alexandre Salome - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 3.7 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70208 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70208 - title: HTTP Host Header Poisoning - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to HTTP Host Header Poisoning. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.3, 2.1.12, 2.2.5, 2.0.24 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.3' - - '>=2.1.0, <2.1.12' - - '>=2.2.0, <2.2.5' - - '>=2, <2.0.24' - publicationTime: 2013-08-17T09:14:49Z - disclosureTime: 2013-08-17T09:14:49Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2013-4752 - CWE: - - CWE-74 - credit: - - Jordan Alliot - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N - cvssScore: 8.2 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70209 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70209 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Denial of Service (DoS). - - - The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to [CVE-2013-5750](https://snyk.io/vuln/SNYK-PHP-FRIENDSOFSYMFONYUSERBUNDLE-70102). - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. - - - - Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. - - - - One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. - - - - When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. - - - - Two common types of DoS vulnerabilities: - - - - * High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082). - - - - * Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108) - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.6, 2.1.13, 2.2.9, 2.0.25 or higher. - - - ## References - - - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2013-5958) - - - [Symfony Release Notes](http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2, <2.0.25' - - '>=2.1.0, <2.1.13' - - '>=2.2.0, <2.2.9' - - '>=2.3.0, <2.3.6' - publicationTime: 2013-10-10T08:30:51Z - disclosureTime: 2013-10-10T08:30:51Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2013-5958 - CWE: - - CWE-400 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70210 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70210 - title: Arbitrary Code Injection - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Arbitrary Code Injection. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.19, 2.2.0, 2.4.9, 2.5.4, 2.3.0, 2.1.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released) - - - [GitHub Commit](https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.19' - - '>=2.1.0, <2.2.0' - - '>=2.4.0, <2.4.9' - - '>=2.5.0, <2.5.4' - - '>=2.2.0, <2.3.0' - - '>=2, <2.1.0' - publicationTime: 2014-07-25T22:18:02Z - disclosureTime: 2014-07-25T22:18:02Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-4931 - CWE: - - CWE-94 - credit: - - Jeremy Derussé - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 5.6 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70211 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70211 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Denial of Service (DoS). - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. - - - - Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. - - - - One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. - - - - When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. - - - - Two common types of DoS vulnerabilities: - - - - * High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082). - - - - * Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108) - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.19, 2.4.9, 2.5.4 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header) - - - [GitHub PR](https://github.com/symfony/symfony/pull/11828) - - - [GitHub Commit](https://github.com/symfony/symfony/commit/1ee96a8b1b0987ffe2a62dca7ad268bf9edfa9b8) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2, <2.3.19' - - '>=2.4.0, <2.4.9' - - '>=2.5.0, <2.5.4' - publicationTime: 2014-09-03T07:37:21Z - disclosureTime: 2014-09-03T07:37:21Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-5244 - CWE: - - CWE-400 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70212 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70212 - title: Information Exposure - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Information Exposure. - - - When you enable the ESI feature and when you are using a proxy like Varnish that you configured as a trusted proxy, the FragmentHandler considered requests to render fragments as coming from a trusted source, even if the client was requesting them directly. Symfony can not distinguish between ESI requests done on behalf of the client by Varnish and faked fragment requests coming directly from the client. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.19, 2.2.0, 2.4.9, 2.5.4, 2.3.0, 2.1.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2014-5245-direct-access-of-esi-urls-behind-a-trusted-proxy) - - - [GitHub PR](https://github.com/symfony/symfony/pull/11831) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: low - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.19' - - '>=2.1.0, <2.2.0' - - '>=2.4.0, <2.4.9' - - '>=2.5.0, <2.5.4' - - '>=2.2.0, <2.3.0' - - '>=2, <2.1.0' - publicationTime: 2014-09-03T07:40:02Z - disclosureTime: 2014-09-03T07:40:02Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-5245 - CWE: - - CWE-200 - credit: - - Cédric Nirousset - - Trent Steel - - Christophe Coevoet - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 3.7 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70213 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70213 - title: Authentication Bypass - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Authentication Bypass. - - - When an application uses an HTTP basic or digest authentication, Symfony does not parse the Authorization header properly, which could be exploited in some server setups (no exploits have been demonstrated though.) - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.19, 2.2.0, 2.4.9, 2.5.4, 2.3.0, 2.1.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2014-6061-security-issue-when-parsing-the-authorization-header) - - - [GitHub Issue](https://github.com/symfony/symfony/pull/11829) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: low - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.19' - - '>=2.1.0, <2.2.0' - - '>=2.4.0, <2.4.9' - - '>=2.5.0, <2.5.4' - - '>=2.2.0, <2.3.0' - - '>=2, <2.1.0' - publicationTime: 2014-09-03T07:38:23Z - disclosureTime: 2014-09-03T07:38:23Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-6061 - CWE: - - CWE-592 - credit: - - Damien Tournoud - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 3.7 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70214 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70214 - title: Cross-site Request Forgery (CSRF) - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Cross-site Request Forgery (CSRF). - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.19, 2.2.0, 2.4.9, 2.5.4, 2.3.0, 2.1.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2014-6072-csrf-vulnerability-in-the-web-profiler) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.19' - - '>=2.1.0, <2.2.0' - - '>=2.4.0, <2.4.9' - - '>=2.5.0, <2.5.4' - - '>=2.2.0, <2.3.0' - - '>=2, <2.1.0' - publicationTime: 2014-09-03T07:40:30Z - disclosureTime: 2014-09-03T07:40:30Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-6072 - CWE: - - CWE-352 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70215 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70215 - title: Arbitrary Code Injection - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Arbitrary Code Injection. - - - Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a `language="php"` attribute of a SCRIPT element. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.27, 2.6.6, 2.2.0, 2.5.0, 2.5.11, 2.3.0, 2.1.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2015-2308-esi-code-injection) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.27' - - '>=2.6.0, <2.6.6' - - '>=2.1.0, <2.2.0' - - '>=2.4.0, <2.5.0' - - '>=2.5.0, <2.5.11' - - '>=2.2.0, <2.3.0' - - '>=2, <2.1.0' - publicationTime: 2015-04-01T18:55:26Z - disclosureTime: 2015-04-01T18:55:26Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-2308 - CWE: - - CWE-94 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70216 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70216 - title: Man-in-the-Middle (MitM) - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Man-in-the-Middle (MitM). - - - The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.27, 2.5.11, 2.6.6 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2, <2.3.27' - - '>=2.4.0, <2.5.11' - - '>=2.6.0, <2.6.6' - publicationTime: 2015-04-01T18:55:26Z - disclosureTime: 2015-04-01T18:55:26Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-2309 - CWE: - - CWE-300 - credit: - - Dmitrii Chekaliuk - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - cvssScore: 6.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70218 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70218 - title: Session Fixation - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Session Fixation. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.35, 2.6.12, 2.5.0, 2.7.7, 2.6.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.35' - - '>=2.6.0, <2.6.12' - - '>=2.4.0, <2.5.0' - - '>=2.7.0, <2.7.7' - - '>=2.5.0, <2.6.0' - publicationTime: 2015-11-23T11:45:06Z - disclosureTime: 2015-11-23T11:45:06Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-8124 - CWE: - - CWE-384 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70219 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70219 - title: Timing Attack - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Timing Attack. - - - Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving: - - * Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or - - * Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or - - * legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.35, 2.6.12, 2.5.0, 2.7.7, 2.6.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.35' - - '>=2.6.0, <2.6.12' - - '>=2.4.0, <2.5.0' - - '>=2.7.0, <2.7.7' - - '>=2.5.0, <2.6.0' - publicationTime: 2015-11-23T11:45:06Z - disclosureTime: 2015-11-23T11:45:06Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-8125 - CWE: - - CWE-208 - credit: - - Sebastiaan Stok - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70220 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70220 - title: Insecure Randomness - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Insecure Randomness . - - - The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.37, 2.6.13, 2.5.0, 2.7.9, 2.6.0 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.37' - - '>=2.6.0, <2.6.13' - - '>=2.4.0, <2.5.0' - - '>=2.7.0, <2.7.9' - - '>=2.5.0, <2.6.0' - publicationTime: 2016-01-14T09:59:32Z - disclosureTime: 2016-01-14T09:59:32Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2016-1902 - CWE: - - CWE-330 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvssScore: 7.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-70222 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70222 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - Affected versions of [`symfony/symfony`](https://packagist.org/packages/symfony/symfony) are vulnerable to Denial of Service (DoS). - - - The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. - - - - Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. - - - - One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. - - - - When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. - - - - Two common types of DoS vulnerabilities: - - - - * High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082). - - - - * Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108) - - - ## Remediation - - Upgrade `symfony/symfony` to version 2.3.41, 2.7.0, 2.5.0, 2.7.13, 2.6.0, 2.8.6, 3.0.6 or higher. - - - ## References - - - [Symfony Release Notes](http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session) - - - [GitHub PR](https://github.com/symfony/symfony/pull/18733) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.41' - - '>=2.6.0, <2.7.0' - - '>=2.4.0, <2.5.0' - - '>=2.7.0, <2.7.13' - - '>=2.5.0, <2.6.0' - - '>=2.8.0, <2.8.6' - - '>=3, <3.0.6' - publicationTime: 2016-05-09T21:31:02Z - disclosureTime: 2016-05-09T21:31:02Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2016-4423 - CWE: - - CWE-400 - credit: - - Marek Alaksa - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvssScore: 7.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72196 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72196 - title: Denial of Service (DoS) - type: vuln - description: > - ## Overview - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a set of reusable PHP components. - - - Affected versions of this package are vulnerable to Denial of Service (DoS) attacks via the `PDOSessionHandler` class. - - - **An application is vulnerable when:** - - - * It uses `PDOSessionHandler` to store its sessions - - * And it uses MySQL as a backend for sessions managed by `PDOSessionHandler` - - * And the SQL mode does not contain `STRICT_ALL_TABLES` or `STRICT_TRANS_TABLES`. - - - With this configuration, An attacker may conduct a denial of service by a well-crafted session, which leads to an infinite loop in the code. - - - ## Details - - Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. - - - - Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. - - - - One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. - - - - When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. - - - - Two common types of DoS vulnerabilities: - - - - * High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082). - - - - * Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108) - - - ## Remediation - - Upgrade `symfony/symfony` to versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 or higher. - - - ## References - - - [Symphony Security Advisory](https://symfony.com/cve-2018-11386) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.48 - - '>=2.8.0, <2.8.41' - - '>=3.0.0, <3.3.17' - - '>=3.4.0, <3.4.11' - - '>=4.0.0, <4.0.11' - publicationTime: 2018-05-30T11:36:38.154000Z - disclosureTime: 2018-05-30T03:25:45.531000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-11386 - CWE: - - CWE-835 - credit: - - Federico Stange - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - cvssScore: 5.9 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72197 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72197 - title: Access Restriction Bypass - type: vuln - description: > - ## Overview - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a set of PHP components. - - - Affected versions of this package are vulnerable to Access Restriction Bypass. A misconfigured LDAP server allowed unauthorized access, due to a missing check for `null` passwords. - - - **Note:** This is related to [CVE-2016-2403](https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70221). - - - ## Remediation - - Upgrade `symfony/symfony` to versions 2.8.37, 3.3.17, 3.4.7, 4.0.7 or higher. - - - ## References - - - [Symphony Security Advisory](https://symfony.com/cve-2018-11407) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: critical - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.8.37 - - '>=3.0.0, <3.3.17' - - '>=3.4.0, <3.4.7' - - '>=4.0.0, <4.0.7' - publicationTime: 2018-05-30T11:36:38.236000Z - disclosureTime: 2018-05-30T03:25:45.532000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-11407 - CWE: - - CWE-284 - credit: - - Theo Bouge - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72198 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72198 - title: CSRF Token Fixation - type: vuln - description: > - ## Overview - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a set of reusable PHP components. - - - Affected versions of this package are vulnerable to CSRF Token Fixation. CSRF tokens where not erased during logout, when the `invalidate_session` option was disabled. By default, a user’s session is invalidated when the user is logged out. - - - ## Remediation - - Upgrade `symfony/symfony` to versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 or higher. - - - ## References - - - [Symphony Security Advisory](https://symfony.com/cve-2018-11406) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.48 - - '>=2.8.0, <2.8.41' - - '>=3.0.0, <3.3.17' - - '>=3.4.0, <3.4.11' - - '>=4.0.0, <4.0.11' - publicationTime: 2018-05-30T11:36:38.318000Z - disclosureTime: 2018-05-30T03:25:45.533000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-11406 - CWE: - - CWE-384 - credit: - - Kevin Liagre - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvssScore: 8.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72199 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72199 - title: Open Redirect - type: vuln - description: > - ## Overview - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a set of reusable PHP components. - - - Affected versions of this package are vulnerable to Open Redirect. This is due to an incomplete fix for [CVE-2017-16652](https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-70381). There was an an edge case when the `security.http_utils` was inlined by the container. - - - ## Remediation - - Upgrade `symfony/symfony` to versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 or higher. - - - ## References - - - [Symphony Security Advisory](https://symfony.com/cve-2018-11408) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.48 - - '>=2.8.0, <2.8.41' - - '>=3.0.0, <3.3.17' - - '>=3.4.0, <3.4.11' - - '>=4.0.0, <4.0.11' - publicationTime: 2018-05-30T11:36:38.403000Z - disclosureTime: 2018-05-30T03:25:45.535000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-11408 - CWE: - - CWE-601 - credit: - - Antal Aron - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72200 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72200 - title: Session Fixation - type: vuln - description: > - ## Overview - - [symfony/symfony](https://packagist.org/packages/symfony/symfony) is a set of reusable PHP components. - - - Affected versions of this package are vulnerable to Session Fixation via the `Guard` login feature. An attacker may be able to impersonate the victim towards the web application if the session id value was previously known to the attacker. This allows the attacker to access a Symfony web application with the attacked user's permissions. - - - **Note:** - - * The `Guard authentication` login feature must be enabled for the attack to be applicable. - - * The attacker must have access to the `PHPSESSID` cookie value or has successfully set a new value in the user's browser. - - - ## Remediation - - Upgrade `symfony/symfony` to versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 or higher. - - - ## References - - - [Symphony Security Advisory](https://symfony.com/cve-2018-11385) - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.48 - - '>=2.8.0, <2.8.41' - - '>=3.0.0, <3.3.17' - - '>=3.4.0, <3.4.11' - - '>=4.0.0, <4.0.11' - publicationTime: 2018-05-30T11:36:38.526000Z - disclosureTime: 2018-05-30T03:25:45.536000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-11385 - CWE: - - CWE-384 - credit: - - Chris Wilkinson - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 8.1 - patches: [] - upgradePath: [] - - id: SNYK-PHP-SYMFONYSYMFONY-72246 - url: https://snyk.io/vuln/SNYK-PHP-SYMFONYSYMFONY-72246 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\n[symfony/symfony](https://packagist.org/packages/symfony/symfony) is the The Symfony PHP framework.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via the `ExceptionHandler.php` method.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `symfony/symfony` to versions 2.7.33, 2.8.26, 3.2.13, 3.3.6 or higher.\n\n## References\n- [GitHub PR](https://github.com/symfony/symfony/pull/23684)\n- [GitHub Issue](https://github.com/symfony/symfony/issues/27987)\n" - functions: [] - from: - - symfony/symfony@2.3.1 - package: symfony/symfony - version: 2.3.1 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.7.33 - - '>=2.8.0, <2.8.26' - - '>=3.0.0, <3.2.13' - - '>=3.3.0, <3.3.6' - publicationTime: 2018-07-30T13:57:42.005000Z - disclosureTime: 2018-07-20T00:54:33.251000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-18343 - CWE: - - CWE-79 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: [] - - id: SNYK-PHP-TWIGTWIG-173776 - url: https://snyk.io/vuln/SNYK-PHP-TWIGTWIG-173776 - title: Information Exposure - type: vuln - description: > - ## Overview - - - [twig/twig](https://packagist.org/packages/twig/twig) is a flexible, fast, and secure template language for PHP. - - - - Affected versions of this package are vulnerable to Information Exposure - - due to allowing the evaluation of non-trusted templates in a sandbox, where everything is forbidden if not explicitly allowed by a sandbox policy (tags, filters, functions, method calls, ...). - - - - *Note: If you are not using the sandbox, your code is not affected.* - - - ## Remediation - - - Upgrade `twig/twig` to version 1.38.0, 2.7.0 or higher. - - - - ## References - - - - [GitHub Commit](https://github.com/twigphp/Twig/commit/0f3af98ef6e71929ad67fb6e5f3ad65777c1c4c5) - - - - [Twig Security Advisory](https://symfony.com/blog/twig-sandbox-information-disclosure) - functions: [] - from: - - symfony/symfony@2.3.1 - - twig/twig@1.35.0 - package: twig/twig - version: 1.35.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=1.0.0, <1.38.0' - - '>=2.0.0, <2.7.0' - publicationTime: 2019-03-12T13:58:49Z - disclosureTime: 2019-03-12T13:58:49Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2019-9942 - CWE: - - CWE-200 - credit: - - Fabien Potencier - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O - cvssScore: 4.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-TWIGTWIG-72239 - url: https://snyk.io/vuln/SNYK-PHP-TWIGTWIG-72239 - title: Server Side Template Injection (SSTI) - type: vuln - description: > - ## Overview - - [twig/twig](https://packagist.org/packages/twig/twig) is a flexible, fast, and secure template language for PHP. - - - Affected versions of this package are vulnerable to Server Side Template Injection (SSTI) via the `search_key` parameter. - - - ## Remediation - - Upgrade `twig/twig` to version 2.4.4 or higher. - - - ## References - - - [Exploit-DB](https://www.exploit-db.com/exploits/44102/) - - - [GitHub Commit](https://github.com/twigphp/Twig/commit/eddb97148ad779f27e670e1e3f19fb323aedafeb) - - - [GitHub ChangLog](https://github.com/twigphp/Twig/blob/2.x/CHANGELOG) - functions: [] - from: - - symfony/symfony@2.3.1 - - twig/twig@1.35.0 - package: twig/twig - version: 1.35.0 - severity: critical - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.4 - publicationTime: 2018-07-23T13:46:08.115000Z - disclosureTime: 2018-07-10T15:06:02.373000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-13818 - CWE: - - CWE-94 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: [] - - id: SNYK-PHP-YIISOFTYII-70295 - url: https://snyk.io/vuln/SNYK-PHP-YIISOFTYII-70295 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - Affected versions of [`yiisoft/yii`](https://packagist.org/packages/yiisoft/yii) are vulnerable to Arbitrary Code Execution. - - - The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property. - - - ## Remediation - - Upgrade `yiisoft/yii` to version 1.1.15 or higher. - - - ## References - - - [Yii Framework Security Advisory](http://www.yiiframework.com/news/78/yii-1-1-15-is-released-security-fix/) - functions: [] - from: - - yiisoft/yii@1.1.14 - package: yiisoft/yii - version: 1.1.14 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <1.1.15 - publicationTime: 2014-06-30T07:15:00Z - disclosureTime: 2014-06-30T07:15:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-4672 - CWE: - - CWE-94 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70321 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70321 - title: Route Parameter Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Route Parameter Injection. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.1.4, 2.0.8 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2013-01) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.1.0, <2.1.4' - - '>=2, <2.0.8' - publicationTime: 2013-03-13T08:39:38Z - disclosureTime: 2013-03-13T08:39:38Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-74 - credit: - - codemagician - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - cvssScore: 6.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70322 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70322 - title: Information Exposure - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Information Exposure. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.1.4, 2.0.8 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2013-02) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: low - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.1.0, <2.1.4' - - '>=2, <2.0.8' - publicationTime: 2013-03-13T15:05:23Z - disclosureTime: 2013-03-13T15:05:23Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-200 - credit: - - Pádraic Brady - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 3.7 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70323 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70323 - title: SQL Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to SQL Injection due to execution of platform-specific SQL containing interpolations. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.1.4, 2.0.8 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2013-03) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.1.0, <2.1.4' - - '>=2, <2.0.8' - publicationTime: 2013-03-13T15:04:50Z - disclosureTime: 2013-03-13T15:04:50Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-89 - credit: - - Axel Helmert - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70324 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70324 - title: IP Spoofing - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Potential IP Spoofing. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.2.5 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2013-04) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.2.5 - publicationTime: 2013-10-31T10:35:17Z - disclosureTime: 2013-10-31T10:35:17Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-290 - credit: - - Steve Talbot - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70325 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70325 - title: XML External Entity (XXE) Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to XML External Entity (XXE) Injection. - - - ## Details - - - XXE Injection is a type of attack against an application that parses XML input. - - XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document. - - - - Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier. - - - - For example, below is a sample XML document, containing an XML element- username. - - - - ```xml - - - - John - - - - ``` - - - - An external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`. - - - - ```xml - - - - ]> - - &xxe; - - - - ``` - - - - Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.1.6, 2.2.6 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2014-01) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.1.0, <2.1.6' - - '>=2.2.0, <2.2.6' - publicationTime: 2014-02-26T16:02:02Z - disclosureTime: 2014-02-26T16:02:02Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-611 - credit: - - Lukas Reschke - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70326 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70326 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\nAffected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Cross-site Scripting (XSS).\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `zendframework/zendframework` to version 2.3.1, 2.2.7 or higher.\n\n## References\n- [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2014-03)\n" - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.1' - - '>=2, <2.2.7' - publicationTime: 2014-02-26T16:02:02Z - disclosureTime: 2014-02-26T16:02:02Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-79 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - cvssScore: 6.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70327 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70327 - title: Authentication Bypass - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Authentication Bypass. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.3.3, 2.2.8 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2014-05) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.3' - - '>=2, <2.2.8' - publicationTime: 2014-09-16T22:00:00Z - disclosureTime: 2014-09-16T22:00:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-8088 - CWE: - - CWE-592 - credit: - - Matthew Daley - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70328 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70328 - title: SQL Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to SQL Injection vector when manually quoting values for sqlsrv extension, using null byte. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.3.3, 2.2.8 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2014-06) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.3' - - '>=2, <2.2.8' - publicationTime: 2014-09-16T22:00:00Z - disclosureTime: 2014-09-16T22:00:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2014-8089 - CWE: - - CWE-89 - credit: - - Jonas Sandström - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70329 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70329 - title: Insufficient Session Validation - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Insufficient Session Validation. - - - `Zend\Session` session validators do not work as expected if set prior to the start of a session. - - - The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. - - - An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.3.4, 2.2.9 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-01) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.4' - - '>=2, <2.2.9' - publicationTime: 2015-01-14T22:00:00Z - disclosureTime: 2015-01-14T22:00:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-284 - credit: - - Yuriy Dyachenko - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70330 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70330 - title: SQL Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to SQL Injection. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.3.5, 2.2.10 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-02) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2.3.0, <2.3.5' - - '>=2, <2.2.10' - publicationTime: 2015-02-18T19:15:09Z - disclosureTime: 2015-02-18T19:15:09Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-0270 - CWE: - - CWE-89 - credit: - - Grigory Ivanov - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70332 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70332 - title: CRLF Injection - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Potential CRLF injection attacks in mail and HTTP headers. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.3.8, 2.4.1 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-04) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.3.8 - - '>=2.4.0, <2.4.1' - publicationTime: 2015-05-07T08:53:42Z - disclosureTime: 2015-05-07T08:53:42Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-3154 - CWE: - - CWE-113 - credit: - - Filippo Tessarotto - - Maks3w - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70333 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70333 - title: XML External Entity (XXE) Injection - type: vuln - description: >- - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to XML External Entity (XXE) Injection. - - - - ## Details - - - - XXE Injection is a type of attack against an application that parses XML input. - - XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document. - - - - Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier. - - - - For example, below is a sample XML document, containing an XML element- username. - - - - ```xml - - - - John - - - - ``` - - - - An external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`. - - - - ```xml - - - - ]> - - &xxe; - - - - ``` - - - - Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service. - + - zendframework/zendframework@2.1.0 + package: zendframework/zendframework + version: 2.1.0 + severity: high + exploitMaturity: no-known-exploit + language: php + packageManager: composer + semver: + vulnerable: + - '>=2, <2.4.9' + publicationTime: 2015-11-23T14:30:00Z + disclosureTime: 2015-11-23T14:30:00Z + isUpgradable: false + isPatchable: false + isPinnable: false + identifiers: + CVE: + - CVE-2015-7503 + CWE: + - CWE-200 + credit: + - Unknown + CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvssScore: 7.5 + patches: [] + upgradePath: [] + - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 + url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 + title: Arbitrary Code Execution + type: vuln + description: > + ## Overview + Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Arbitrary Code Execution. - ## Remediation - Upgrade `zendframework/zendframework` to version 2.4.6, 2.5.1 or higher. + ## Remediation + Upgrade `zendframework/zendframework` to version 2.4.11 or higher. - ## References + ## References - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-06) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: proof-of-concept - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.6 - - '>=2.5.0, <2.5.1' - publicationTime: 2015-08-03T15:13:58Z - disclosureTime: 2015-08-03T15:13:58Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-5161 - CWE: - - CWE-611 - credit: - - Dawid Golunski - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R - cvssScore: 6.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70335 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70335 - title: Information Exposure - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Information Exposure. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.4.9 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-09) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: low - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.9 - publicationTime: 2015-11-23T14:30:00Z - disclosureTime: 2015-11-23T14:30:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-200 - credit: - - Vincent Herbulot - CVSSv3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 3.7 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70336 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70336 - title: Information Exposure - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Information Exposure. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.4.9 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2015-10) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - '>=2, <2.4.9' - publicationTime: 2015-11-23T14:30:00Z - disclosureTime: 2015-11-23T14:30:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-7503 - CWE: - - CWE-200 - credit: - - Unknown - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvssScore: 7.5 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-70337 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - Affected versions of [`zendframework/zendframework`](https://packagist.org/packages/zendframework/zendframework) are vulnerable to Arbitrary Code Execution. - - - ## Remediation - - Upgrade `zendframework/zendframework` to version 2.4.11 or higher. - - - ## References - - - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2016-04) - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: high - exploitMaturity: no-known-exploit - language: php - packageManager: composer - semver: - vulnerable: - - <2.4.11 - publicationTime: 2016-12-19T15:29:00Z - disclosureTime: 2016-12-19T15:29:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-94 - credit: - - Dawid Golunski - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - cvssScore: 7.3 - patches: [] - upgradePath: [] - - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 - url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 - title: Arbitrary URL Rewrite - type: vuln - description: "## Overview\n[zendframework/zendframework](https://packagist.org/packages/zendframework/zendframework) provides functionality for consuming RSS and Atom feeds.\n\nAffected versions of this package are vulnerable to Arbitrary URL Rewrite. The request URI marshaling process contains logic that inspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. \n\nWhen these headers are present on systems not running the specific URL rewriting mechanism, the URLs are subject to rewriting, allowing a malicious client or proxy to emulate the headers to request arbitrary content.\n\n## Remediation\nUpgrade `zendframework/zendframework` to version 2.5.0 or higher.\n\n## References\n- [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2018-01)\n" - functions: [] - from: - - zendframework/zendframework@2.1.0 - package: zendframework/zendframework - version: 2.1.0 - severity: medium - exploitMaturity: no-known-exploit - language: php + - [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2016-04) + functions: [] + from: + - zendframework/zendframework@2.1.0 + package: zendframework/zendframework + version: 2.1.0 + severity: high + exploitMaturity: no-known-exploit + language: php + packageManager: composer + semver: + vulnerable: + - <2.4.11 + publicationTime: 2016-12-19T15:29:00Z + disclosureTime: 2016-12-19T15:29:00Z + isUpgradable: false + isPatchable: false + isPinnable: false + identifiers: + CVE: [] + CWE: + - CWE-94 + credit: + - Dawid Golunski + CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvssScore: 7.3 + patches: [] + upgradePath: [] + - id: SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 + url: https://snyk.io/vuln/SNYK-PHP-ZENDFRAMEWORKZENDFRAMEWORK-72268 + title: Arbitrary URL Rewrite + type: vuln + description: "## Overview\n[zendframework/zendframework](https://packagist.org/packages/zendframework/zendframework) provides functionality for consuming RSS and Atom feeds.\n\nAffected versions of this package are vulnerable to Arbitrary URL Rewrite. The request URI marshaling process contains logic that inspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. \n\nWhen these headers are present on systems not running the specific URL rewriting mechanism, the URLs are subject to rewriting, allowing a malicious client or proxy to emulate the headers to request arbitrary content.\n\n## Remediation\nUpgrade `zendframework/zendframework` to version 2.5.0 or higher.\n\n## References\n- [Zend Framework Security Advisory](https://framework.zend.com/security/advisory/ZF2018-01)\n" + functions: [] + from: + - zendframework/zendframework@2.1.0 + package: zendframework/zendframework + version: 2.1.0 + severity: medium + exploitMaturity: no-known-exploit + language: php + packageManager: composer + semver: + vulnerable: + - <2.5.0 + publicationTime: 2018-08-15T08:34:54.643000Z + disclosureTime: 2018-08-02T16:29:46.707000Z + isUpgradable: false + isPatchable: false + isPinnable: false + identifiers: + CVE: [] + CWE: + - CWE-601 + credit: + - Drupal Security Team + CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvssScore: 5.3 + patches: [] + upgradePath: [] + licenses: [] + dependencyCount: 31 + org: + name: atokeneduser + id: 4a18d42f-0706-4ad0-b127-24078731fbed + licensesPolicy: null packageManager: composer - semver: - vulnerable: - - <2.5.0 - publicationTime: 2018-08-15T08:34:54.643000Z - disclosureTime: 2018-08-02T16:29:46.707000Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: [] - CWE: - - CWE-601 - credit: - - Drupal Security Team - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvssScore: 5.3 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 31 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: composer deprecated: false /test/dep-graph: post: @@ -15726,46 +10963,6 @@ paths: org: name: atokeneduser id: 4a18d42f-0706-4ad0-b127-24078731fbed - example: - ok: false - packageManager: maven - issuesData: - SNYK-JAVA-CHQOSLOGBACK-30208: - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - credit: - - Unknown - cvssScore: 9.8 - description: "## Overview\n\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.\nA configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n## Remediation\n\nUpgrade `ch.qos.logback:logback-core` to version 1.1.11 or higher.\n\n\n## References\n\n- [Logback News](https://logback.qos.ch/news.html)\n\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929/)\n" - disclosureTime: 2017-03-13T06:59:00Z - fixedIn: - - 1.1.11 - id: SNYK-JAVA-CHQOSLOGBACK-30208 - identifiers: - CVE: - - CVE-2017-5929 - CWE: - - CWE-502 - language: java - mavenModuleName: - artifactId: logback-core - groupId: ch.qos.logback - moduleName: ch.qos.logback:logback-core - packageManager: maven - packageName: ch.qos.logback:logback-core - patches: [] - semver: - vulnerable: - - '[, 1.1.11)' - severity: critical - title: Arbitrary Code Execution - issues: - - pkgName: ch.qos.logback:logback-core - pkgVersion: 1.0.13 - issueId: SNYK-JAVA-CHQOSLOGBACK-30208 - fixInfo: {} - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed deprecated: false /monitor/dep-graph: post: @@ -15916,10 +11113,6 @@ paths: ok: true id: f7c065cd-5850-462d-a0ca-9719d07e3e38 uri: https://app.snyk.io/org/my-org/project/f7c065cd-5850-462d-a0ca-9719d07e3e38/history/39d14036-31f3-4f22-8037-1d979e0516ef - example: - ok: true - id: f7c065cd-5850-462d-a0ca-9719d07e3e38 - uri: https://app.snyk.io/org/my-org/project/f7c065cd-5850-462d-a0ca-9719d07e3e38/history/39d14036-31f3-4f22-8037-1d979e0516ef deprecated: false /reporting/issues/latest: post: @@ -16123,7 +11316,7 @@ paths: innerErrors: - invalid type filters.types is an invalid type unsupported-type deprecated: false - /reporting/issues/: + /reporting/issues: post: tags: - Reporting API @@ -17134,9 +12327,6 @@ paths: - example: id: d3cf26b3-2d77-497b-bce2-23b33cc15362 url: https://my.app.com/webhook-handler/snyk123 - example: - id: d3cf26b3-2d77-497b-bce2-23b33cc15362 - url: https://my.app.com/webhook-handler/snyk123 deprecated: false get: tags: @@ -17245,9 +12435,6 @@ paths: - example: id: d3cf26b3-2d77-497b-bce2-23b33cc15362 url: https://my.app.com/webhook-handler/snyk123 - example: - id: d3cf26b3-2d77-497b-bce2-23b33cc15362 - url: https://my.app.com/webhook-handler/snyk123 deprecated: false delete: tags: @@ -22510,35 +17697,6 @@ components: properties: SNYK-JAVA-CHQOSLOGBACK-30208: $ref: '#/components/schemas/SNYKJAVACHQOSLOGBACK30208' - example: - SNYK-JAVA-CHQOSLOGBACK-30208: - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - credit: - - Unknown - cvssScore: 9.8 - description: "## Overview\n\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.\nA configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n## Remediation\n\nUpgrade `ch.qos.logback:logback-core` to version 1.1.11 or higher.\n\n\n## References\n\n- [Logback News](https://logback.qos.ch/news.html)\n\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929/)\n" - disclosureTime: 2017-03-13T06:59:00Z - fixedIn: - - 1.1.11 - id: SNYK-JAVA-CHQOSLOGBACK-30208 - identifiers: - CVE: - - CVE-2017-5929 - CWE: - - CWE-502 - language: java - mavenModuleName: - artifactId: logback-core - groupId: ch.qos.logback - moduleName: ch.qos.logback:logback-core - packageManager: maven - packageName: ch.qos.logback:logback-core - patches: [] - semver: - vulnerable: - - '[, 1.1.11)' - severity: critical - title: Arbitrary Code Execution issueSeverity: title: issueSeverity enum: @@ -23856,187 +19014,46 @@ components: - low - medium - high - - critical - type: object - properties: - low: - type: number - description: Number of low severity vulnerabilities - medium: - type: number - description: Number of medium severity vulnerabilities - high: - type: number - description: Number of high severity vulnerabilities - critical: - type: number - description: Number of critical severity vulnerabilities - sbt_Testforissuesinapublicpackagebygroupidartifactidandversionresponse: - title: sbt_Testforissuesinapublicpackagebygroupidartifactidandversionresponse - required: - - ok - - issues - - dependencyCount - - org - - licensesPolicy - - packageManager - type: object - properties: - ok: - type: boolean - issues: - $ref: '#/components/schemas/Issues1' - dependencyCount: - type: integer - format: int32 - org: - $ref: '#/components/schemas/Org1' - licensesPolicy: - type: string - nullable: true - packageManager: - type: string - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) - functions: [] - from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-5641 - CWE: - - CWE-502 - credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 - licenses: [] - dependencyCount: 1 + - critical + type: object + properties: + low: + type: number + description: Number of low severity vulnerabilities + medium: + type: number + description: Number of medium severity vulnerabilities + high: + type: number + description: Number of high severity vulnerabilities + critical: + type: number + description: Number of critical severity vulnerabilities + sbt_Testforissuesinapublicpackagebygroupidartifactidandversionresponse: + title: sbt_Testforissuesinapublicpackagebygroupidartifactidandversionresponse + required: + - ok + - issues + - dependencyCount + - org + - licensesPolicy + - packageManager + type: object + properties: + ok: + type: boolean + issues: + $ref: '#/components/schemas/Issues1' + dependencyCount: + type: integer + format: int32 org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: maven + $ref: '#/components/schemas/Org1' + licensesPolicy: + type: string + nullable: true + packageManager: + type: string score: title: score type: object @@ -24402,16 +19419,7 @@ components: properties: contents: type: string - example: - name: vulnerable/project - description: A sample vulnerable project - require: - php: '>=5.3.2' - symfony/symfony: v2.3.1 - yiisoft/yii: 1.1.14 - zendframework/zendframework: 2.1.0 - aws/aws-sdk-php: 3.0.0 - doctrine/common: 2.5.0 + example: '' description: the `composer.json` file, encoded according the the "encoding" field. target7: title: target7 @@ -27086,291 +22094,15 @@ components: type: string issuesData: $ref: '#/components/schemas/IssuesData' - issues: - type: array - items: - $ref: '#/components/schemas/Issues18' - description: '' - org: - $ref: '#/components/schemas/Org1' - example: - ok: false - packageManager: maven - issuesData: - SNYK-JAVA-CHQOSLOGBACK-30208: - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - credit: - - Unknown - cvssScore: 9.8 - description: "## Overview\n\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.\nA configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n## Remediation\n\nUpgrade `ch.qos.logback:logback-core` to version 1.1.11 or higher.\n\n\n## References\n\n- [Logback News](https://logback.qos.ch/news.html)\n\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929/)\n" - disclosureTime: 2017-03-13T06:59:00Z - fixedIn: - - 1.1.11 - id: SNYK-JAVA-CHQOSLOGBACK-30208 - identifiers: - CVE: - - CVE-2017-5929 - CWE: - - CWE-502 - language: java - mavenModuleName: - artifactId: logback-core - groupId: ch.qos.logback - moduleName: ch.qos.logback:logback-core - packageManager: maven - packageName: ch.qos.logback:logback-core - patches: [] - semver: - vulnerable: - - '[, 1.1.11)' - severity: critical - title: Arbitrary Code Execution - issues: - - pkgName: ch.qos.logback:logback-core - pkgVersion: 1.0.13 - issueId: SNYK-JAVA-CHQOSLOGBACK-30208 - fixInfo: {} - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - Testforissuesinapublicgembynameandversionresponse: - title: Testforissuesinapublicgembynameandversionresponse - required: - - ok - - issues - - dependencyCount - - org - - licensesPolicy - - packageManager - type: object - properties: - ok: - type: boolean - issues: - $ref: '#/components/schemas/Issues1' - dependencyCount: - type: integer - format: int32 - org: - $ref: '#/components/schemas/Org1' - licensesPolicy: - type: string - nullable: true - packageManager: - type: string - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-RUBY-RAILSHTMLSANITIZER-22025 - url: https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-22025 - title: Cross-site Scripting (XSS) - type: vuln - description: "## Overview\n[rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer)\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications.\n\nThis issue is similar to [CVE-2018-8048](https://snyk.io/vuln/SNYK-RUBY-LOOFAH-22023) in Loofah.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `rails-html-sanitizer` to version 1.0.4 or higher.\n\n## References\n- [Ruby on Rails Security Google Forum](https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-3741)\n" - functions: [] - from: - - rails-html-sanitizer@1.0.3 - package: rails-html-sanitizer - version: 1.0.3 - severity: medium - exploitMaturity: no-known-exploit - language: ruby - packageManager: rubygems - semver: - vulnerable: - - <1.0.4 - publicationTime: 2018-03-27T07:42:10.777000Z - disclosureTime: 2018-03-22T21:46:15.453000Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2018-3741 - CWE: - - CWE-79 - credit: - - Kaarlo Haikonen - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvssScore: 6.1 - patches: [] - upgradePath: - - rails-html-sanitizer@1.0.4 - licenses: [] - dependencyCount: 5 - org: - name: atokeneduser - id: 4a18d42f-0706-4ad0-b127-24078731fbed - licensesPolicy: null - packageManager: rubygems - Testforissuesinapublicpackagebygroupidartifactidandversionresponse: - title: Testforissuesinapublicpackagebygroupidartifactidandversionresponse - required: - - ok - - issues - - dependencyCount - - org - - licensesPolicy - - packageManager - type: object - properties: - ok: - type: boolean - issues: - $ref: '#/components/schemas/Issues1' - dependencyCount: - type: integer - format: int32 - org: - $ref: '#/components/schemas/Org1' - licensesPolicy: - type: string - nullable: true - packageManager: - type: string - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution - type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) - functions: [] - from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical - exploitMaturity: no-known-exploit - language: java - packageManager: maven - semver: - vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z - isUpgradable: true - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2017-5641 - CWE: - - CWE-502 - credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 - patches: [] - upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 - licenses: [] - dependencyCount: 1 + issues: + type: array + items: + $ref: '#/components/schemas/Issues18' + description: '' org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: maven - Testforissuesinapublicpackagebygroupnameandversionresponse: - title: Testforissuesinapublicpackagebygroupnameandversionresponse + $ref: '#/components/schemas/Org1' + Testforissuesinapublicgembynameandversionresponse: + title: Testforissuesinapublicgembynameandversionresponse required: - ok - issues @@ -27398,143 +22130,97 @@ components: ok: false issues: vulnerabilities: - - id: SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - url: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEFLEXBLAZEDS-31455 - title: Arbitrary Code Execution + - id: SNYK-RUBY-RAILSHTMLSANITIZER-22025 + url: https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-22025 + title: Cross-site Scripting (XSS) type: vuln - description: > - ## Overview - - - [org.apache.flex.blazeds:blazeds](https://github.com/apache/flex-blazeds) is an application development framework for easily building Flash-based applications for mobile devices, web browsers, and desktops. - - - - Affected versions of this package are vulnerable to Arbitrary Code Execution. - - The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data. By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. - - - - Starting with BlazeDS version `4.7.3`, Deserialization of XML is disabled completely per default, while the `ClassDeserializationValidator` allows deserialization of whitelisted classes only. BlazeDS internally comes with the following whitelist: - - ``` - - flex.messaging.io.amf.ASObject - - flex.messaging.io.amf.SerializedObject - - flex.messaging.io.ArrayCollection - - flex.messaging.io.ArrayList - - flex.messaging.messages.AcknowledgeMessage - - flex.messaging.messages.AcknowledgeMessageExt - - flex.messaging.messages.AsyncMessage - - flex.messaging.messages.AsyncMessageExt - - flex.messaging.messages.CommandMessage - - flex.messaging.messages.CommandMessageExt - - flex.messaging.messages.ErrorMessage - - flex.messaging.messages.HTTPMessage - - flex.messaging.messages.RemotingMessage - - flex.messaging.messages.SOAPMessage - - java.lang.Boolean - - java.lang.Byte - - java.lang.Character - - java.lang.Double - - java.lang.Float - - java.lang.Integer - - java.lang.Long - - java.lang.Object - - java.lang.Short - - java.lang.String - - java.util.ArrayList - - java.util.Date - - java.util.HashMap - - org.w3c.dom.Document - - ``` - - - ## Remediation - - - Upgrade `org.apache.flex.blazeds:blazeds` to version 4.7.3 or higher. - - - - ## References - - - - [CVE-2017-3066](https://nvd.nist.gov/vuln/detail/CVE-2017-5641) - - - - [Github Commit](https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1) - - - - [Github Release Notes](https://github.com/apache/flex-blazeds/blob/master/RELEASE_NOTES) - - - - [Securitytracker Issue](http://www.securitytracker.com/id/1038364) + description: "## Overview\n[rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer)\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications.\n\nThis issue is similar to [CVE-2018-8048](https://snyk.io/vuln/SNYK-RUBY-LOOFAH-22023) in Loofah.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## Remediation\nUpgrade `rails-html-sanitizer` to version 1.0.4 or higher.\n\n## References\n- [Ruby on Rails Security Google Forum](https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-3741)\n" functions: [] from: - - org.apache.flex.blazeds:blazeds@4.7.2 - package: org.apache.flex.blazeds:blazeds - version: 4.7.2 - severity: critical + - rails-html-sanitizer@1.0.3 + package: rails-html-sanitizer + version: 1.0.3 + severity: medium exploitMaturity: no-known-exploit - language: java - packageManager: maven + language: ruby + packageManager: rubygems semver: vulnerable: - - '[,4.7.3)' - publicationTime: 2017-08-09T14:17:08Z - disclosureTime: 2017-04-25T21:00:00Z + - <1.0.4 + publicationTime: 2018-03-27T07:42:10.777000Z + disclosureTime: 2018-03-22T21:46:15.453000Z isUpgradable: true isPatchable: false isPinnable: false identifiers: CVE: - - CVE-2017-5641 + - CVE-2018-3741 CWE: - - CWE-502 + - CWE-79 credit: - - Markus Wulftange - CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 9.8 + - Kaarlo Haikonen + CVSSv3: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvssScore: 6.1 patches: [] upgradePath: - - org.apache.flex.blazeds:blazeds@4.7.3 + - rails-html-sanitizer@1.0.4 licenses: [] - dependencyCount: 1 + dependencyCount: 5 org: name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 + id: 4a18d42f-0706-4ad0-b127-24078731fbed licensesPolicy: null - packageManager: maven + packageManager: rubygems + Testforissuesinapublicpackagebygroupidartifactidandversionresponse: + title: Testforissuesinapublicpackagebygroupidartifactidandversionresponse + required: + - ok + - issues + - dependencyCount + - org + - licensesPolicy + - packageManager + type: object + properties: + ok: + type: boolean + issues: + $ref: '#/components/schemas/Issues1' + dependencyCount: + type: integer + format: int32 + org: + $ref: '#/components/schemas/Org1' + licensesPolicy: + type: string + nullable: true + packageManager: + type: string + Testforissuesinapublicpackagebygroupnameandversionresponse: + title: Testforissuesinapublicpackagebygroupnameandversionresponse + required: + - ok + - issues + - dependencyCount + - org + - licensesPolicy + - packageManager + type: object + properties: + ok: + type: boolean + issues: + $ref: '#/components/schemas/Issues1' + dependencyCount: + type: integer + format: int32 + org: + $ref: '#/components/schemas/Org1' + licensesPolicy: + type: string + nullable: true + packageManager: + type: string Testforissuesinapublicpackagebynameandversionresponse: title: Testforissuesinapublicpackagebynameandversionresponse required: @@ -28312,216 +22998,6 @@ components: nullable: true packageManager: type: string - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 - url: http://localhost:34612/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 - title: Insecure Randomness - type: vuln - description: "## Overview\n[github.com/satori/go.uuid](https://github.com/satori/go.uuid) provides pure Go implementation of Universally Unique Identifier (UUID).\r\n\r\nAffected versions of this package are vulnerable to Insecure Randomness producing predictable `UUID` identifiers due to the limited number of bytes read when using the `g.rand.Read` function.\r\n \r\n## Disclosure Timeline\r\n* Jun 3th, 2018 - The vulnerability introduced by replacing the function `rand.Read()` with the function `g.rand.Read()` (https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c)\r\n* Mar 23th, 2018- An issue was reported.\r\n* Oct 16th, 2018 Issue fixed\r\n\r\n## Remediation\r\nA fix was merged into the master branch but not yet published.\n\n## References\n- [GitHub Commit](https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45)\n- [Github Issue](https://github.com/satori/go.uuid/issues/73)\n" - functions: [] - from: - - github.com/satori/go.uuid@v1.2.0 - package: github.com/satori/go.uuid - version: v1.2.0 - severity: high - exploitMaturity: no-known-exploit - language: golang - packageManager: golang - semver: - hashesRange: - - '>=0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c =0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/json/scanner@v1.0.0 - package: github.com/hashicorp/hcl/json/scanner - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/json/parser@v1.0.0 - package: github.com/hashicorp/hcl/json/parser - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/token@v1.0.0 - package: github.com/hashicorp/hcl/hcl/token - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/strconv@v1.0.0 - package: github.com/hashicorp/hcl/hcl/strconv - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/scanner@v1.0.0 - package: github.com/hashicorp/hcl/hcl/scanner - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/printer@v1.0.0 - package: github.com/hashicorp/hcl/hcl/printer - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/parser@v1.0.0 - package: github.com/hashicorp/hcl/hcl/parser - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl/hcl/ast@v1.0.0 - package: github.com/hashicorp/hcl/hcl/ast - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - - id: snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - url: http://localhost:34612/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0 - title: MPL-2.0 license - type: license - from: - - github.com/hashicorp/hcl@v1.0.0 - package: github.com/hashicorp/hcl - version: v1.0.0 - severity: medium - language: golang - packageManager: golang - semver: - vulnerable: - - '>=0' - vulnerableHashes: - - '*' - dependencyCount: 101 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: golangdep Testgradlefileresponse: title: Testgradlefileresponse required: @@ -29080,380 +23556,6 @@ components: nullable: true packageManager: type: string - example: - ok: false - issues: - vulnerabilities: - - id: SNYK-GOLANG-GITHUBCOMDOCKERLIBCONTAINER-50012 - url: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDOCKERLIBCONTAINER-50012 - title: Symlink Attack - type: vuln - description: > - ## Overview - - Affected version of [`github.com/docker/libcontainer`](https://github.com/docker/libcontainer) are vulnerable to Symlink Attacks. - - Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. - - - ## References - - - [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3627) - - - [GitHub Commit](https://github.com/docker/libcontainer/commit/46132cebcf391b56842f5cf9b247d508c59bc625) - - - [Packetstorm Security](http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html) - - - [Seclists](http://seclists.org/fulldisclosure/2015/May/28) - - - [Docker Security Advisory](https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ) - functions: [] - from: - - github.com/docker/libcontainer@v1.4.0 - package: github.com/docker/libcontainer - version: v1.4.0 - severity: critical - exploitMaturity: no-known-exploit - language: golang - packageManager: golang - semver: - hashesRange: - - '>=5c246d038fc47b8d57a474e1b212ffe646764ee9 <46132cebcf391b56842f5cf9b247d508c59bc625' - vulnerable: - - <1.6.1 - vulnerableHashes: - - cab4b9bce1bece1b6c575e1826f3e5b221faebf3 - - 4a72e540feb67091156b907c4700e580a99f5a9d - - eb74393a3d2daeafbef4f5f27c0821cbdd67559c - - 4332ffcfc6765245e8e9151a2907b0e4b76f218f - - 7eceabd47f41328d6e894418ae167ce8377bda22 - - ecace12e5a3e309d82c5b3b1548a3251b3bc4e2a - - afb167a417ed8379c008b070fb5c0b1bc84bbcba - - 2b4512809110033e5ec532167efd6fabf2dd596d - - c2403c32dbf8a67870ab2ba7524c117fc0652256 - - 4077c254a6ac99930d720a9b95709dbd2614bc61 - - 1b755bf962ec1d29e9e5e66e2cc15704fac088e7 - - 1c9de5b4d21b94499a1e91c9b94ba06831ac5393 - - e3184f97e040c3121502dc382d41ac58a98b685a - - 0dee9793d5efd9842a2e8890fa0f8981d20b196e - - 3e9299d6da5749b263fc3dc93d50b5c854fa199c - - 152107f44ae9e38b38609fdbc75ac6f9f56c4fed - - 623fe598e4d5e75e70440f45298eecec414788b3 - - e30793aed7a30772054abfb1b3f3f703f119b55b - - 0596e6384a586223c56c5ea7d14467ebf5d17247 - - 42fed751fbab3f340461d06edb896cd10cd49812 - - e451df796aaa605413a0b84ddd1bf39ec4a751a0 - - b0eece8d7d945e1e7fc98c2ae3b7dd0a860a7c2a - - 5c246d038fc47b8d57a474e1b212ffe646764ee9 - - bfa67ab988f434fd6836c1868eb5d7d1d7864e8a - - 9bebc660423ca974192599a6a5ea8e016a6fe1fc - - e22b58954324b3593737438032412f15ed9602e9 - - af371eae767ceb51b8804f212bf97584d876feb3 - - f61899ece3fc1da206a0eb28fada0595ab381887 - - 0d0402712b5a13d1b54a345a63ec67982e2e0089 - - d1ae7cd67310f482af22de3abeb26d28e65274bf - - 9f2c67332f48c0050846ac86e01cb5dadbd1d8fe - - 62bdfc482d8edaa618b544fb2beafdf0c44dce5e - - 699429e60f23ab0fa3bdd97b6326316be08791ad - - 35c01f9eb3c228201a3fc5d2301d1fc7a00bde13 - - a72f710d89eaabf23dad7c084082bccb26e6336f - - eb84dd1b73df035e6e64c8513daaa476c72dedfc - - 5b73860e65598203b26d57aabc96ae0f52c9f9ab - - d64cfe5c05448935c75c92f65d604c751bbf5153 - - 62626677876330d60fe3512f59f1fd8f82799ca5 - - 43842efeccbd8077dba8f85fc9e772e0647b82cb - - d6cd7ce43faa53d212052dbbcf209029ec2ec951 - - ebefcddc3c4b99ae312ac575c288856e177ed6ef - - 83add60f217d32561ff0ff62ebf1d6db6a2a11a3 - - 14af6755f04233fbe55cb354a9351fe05afd43a0 - - 8530167f7f5b5eb329f5377b6b74a904482a10ed - - 000d36e109f5d04bad5342bb779e02b2b9b252f7 - - 1db687f4f480c06e6cadfdb0971985df4313ddc7 - - 689e8ec9493a4294856dc1568f5ef667e106707c - - 0eb8a1aac3d903b3c7925208c34f09c02910e7aa - - edb31ce0a6fd7956bffc0829000c60bdd56b9f32 - - 53fce307557cbffdbc54647ef63956b2cb0cee86 - - c22d5c90cf907f4f34d2bc13cad9c82a7fce9077 - - ef1c1c4289559e818d3ec77ce9c1b6a77d2ac764 - - 2da44f8c7b703f87e9c07164c9cc1cdd31031783 - - ee102305fb35a23668136b102ed4d0dd5b3d9ce5 - - 3ca0e1ff95c54577c65b5fbb734c267c23782974 - - f115a5f6c8c2a3cc6340408e6644236a88dcaad0 - - 29ba9b3179d014cc87129af5c51b1263443f387b - - c1ca18404fa63209e0a65abf443669155991b4df - - 5bb81469895d669ddcb4b49e83809a980d57d6b1 - - 6feb7bda04b3130e81cf9606ddb7a156d4a63f7a - - 7c8550af53b4d428d8f3a7c19c0c4a8ebca8ff21 - - 7766c1e07bd49fdc290f0557268950d35b867823 - - 4903df2ed52a01f08626739ad35937752de82a09 - - 58feafa848d9657dda34e5ccc3a196e359566bda - - 9e787db1b108941edab18209a7468e6c555002ce - - e7953c3609b62a25b0bfedcd9d3885ca1b99d2fb - - 8c3b6b18689796bc9625258258e8664746b24e85 - - dd3cb8822352fd4acc0b8b426bd86e47e98f6853 - - cc524f1b729cb5d7592d0a0b07cb3ff1fe6eda98 - - c22ac4876f0a218584ae862900f3058470be38a3 - - c1fb904d1047359e8c4dadafaa0ab065efe9e03e - - 1f176f3c0dae283d66df5360de8a93ec14b4fbd0 - - 50f0faa795dc62773857a0cc3cfb6d5681ba3562 - - 3fbf1856025f54b6eab6e73b7ff8aa4d1020e1c1 - - f4a4391e4ef7e886e56816ae59cbe99d8cff91d9 - - 2d9ef3af72e89ad9df164bd0f435371aa4fa0dea - - 187792e35bb47c89fdfe34409162c814627daacc - - b322073f27b0e9e60b2ab07eff7f4e96a24cb3f9 - - f78bf211f023d28392c6aa0d1934bb1001b3a180 - - 20af7e70e2511b4da0e035bf2fa2d6295f198970 - - f8eb40433c4a8617a20ad36119973af6f9dd2cd0 - - d7dea0e925315bab640115053204c16718839b1e - - 295c70865d10d7c57ba13cbef45c1d276ebfa83e - - 5a87153824b838be92503b57e76e96519b84b522 - - fec4c5ab0a75d7e6a46955bda0818bed7f8fecf3 - - 6a76ecb1ce53d9e623826b238033b86f072395a9 - - 2c037b7fd98e1c03e0c67ceccfd8e3300457e07e - - 4ce8d973204ebace2970c662f6f841ab11a3cc13 - - 870119e763b5976d7331fbd8656ed65207ba95ad - - 58fc93160e03387a4f41dcf4aed2e376c4a92db4 - - a3b0209cc61301941810e54bc3678ccff9af71c1 - - ec005e73b9169d17651618b91836a5d86eb7b24c - - 2fac2dad91e390acb8937ede6154c265b7011cf9 - - 0195469398f4fc1d42c0c20172b51e03ccf9ff1a - - 8d0b06257ba659ee91fa3862ed358cecbee37f73 - - 6516e6ce8c7c71e44f95332ef740ea4082cfee39 - - 55d61e22c5e0e4dc00c99847ba20a8ffa1e3a3d4 - - ca73d7aede7eaa05f4a0acb4bd5cb17a9408cd27 - - 43fabe36d18fa36326d9e5efd2cca8b9376a7fdf - - c06f92353f4f74cdb1c66ee0bbae1cdbb46934ce - - d6fae7bb26807a386f5dd9a1ec2dc5ac51c24498 - - bde8bf2ebc5630399c7d0965f58b502100180400 - - 444cc2989aca50986b45a56bfd8a32bd7ea23c1c - - f5dfd9a702ad163be35023fe08c9573a614d6121 - - 6c2f20eeeca488b98a613e013712d7c9a3d1e619 - - cc42996625afaf38d281f2457b08551a3df0d7bc - - 903680701ad5cf25484d0ac3e78152807dfa90b3 - - 69228248334a576549a9af9df389b3cbfe0c211c - - 6460fd79667466d2d9ec03f77f319a241c58d40b - - 7d9244eab20fc96230636a066f88ad5165c34bc7 - - 9387ebb6ba5fca526aedb54c7df684102639caa3 - - b21b19e0607582cceb8d715b85d27ec113a0b799 - - c4821b6f3e0a41af6bf3ed1cfa168c13381b9554 - - 397b675315d00a34a09f058dd7e462af6f715da3 - - c504f85aabbff0d7380ca9da3f6051c56905c7c0 - - 0f8f0601ae5668510ab7bde03041dafd39b18ec6 - - c3ab8d0cb4b439b7691edf7b63fcecd169834250 - - 22df5551ed7367eb9cbb0cc22aea46351d2495ad - - d284fdfaa36d37cbba5749562d6f9303ebab7d2f - - a9a503082e492575be352c9c82040c1f4ed468d1 - - 5fedffd8fd387b24b25186622c9566325ab3db1b - - dc827aa0ee51829d292524fdf3a7a163feadabe2 - - f925aa3503eeba9d372c74d1fe2b17c8ecd97960 - - bc1d229dbe94a0100f4530b47e9c918f27b8cecd - - 71a57166c1209103dcd4355d21c161bd0f09e481 - - a9644c209f7764f9155db0c4aeb4f690c0cdb585 - - bcfdee970e8a32d04b472cd2c5712e10a5e425fe - - 3c474b9e2aad7c577faefca6c35a8512140c0c65 - - c34b3d5ce90a6b2828d5b97f553f4b49f64081af - - 286fffa4eeda7745f3b36dc938dae3e155d1b204 - - d1f0d5705debbe4d4b1aed7e087d5c49300eb271 - - 08fdb50b03dc810ca8c4386f4f8271a8d51d4445 - - c44ab12c86689065978950d2ed92bb131b2a932c - - 5df859ad240af502aebef01ca28da3ef24951e05 - - ef4efd065cb6c136c7fcbdd65285cff549b745ac - - 2f1b2ce204490854938fab57142b557caa4ab66d - - a36d471a0ef4e119ecfb41257aad246464024a40 - - 83663f82e3d76f57ea57faf80b8fd7eb96933b9b - - e8f5b543010eb0db146fd2593284ed19af93eccd - - c8512754166539461fd860451ff1a0af7491c197 - - dc4c502efd85727abfed95af7789caa7f10d020d - - 4940cee052ece5a8b2ea477699e7bb232de1e1f8 - - 025e6be6c5dc3d535286461088416afa74c42927 - - b4cda7a6cabf1966daf67f291c2c41ff9a1369f4 - - 074441b495052c456f4b96524bd7a80d00db42e8 - - 5847aacb32742fd734fa2c0584cae65636bba370 - - f9590b0927744d22ad0e1b737eecd07a48bb4c2f - - e05f807a8936b4491632290f13958ca26d0aaace - - fd0087d3acdc4c5865de1829d4accee5e3ebb658 - - 38f729e577e07b2c3333ed4b04146e1d64f665a8 - - 8a8eb57746e5372080a5f5e5b6fb9dce178c8220 - - afa8443118347a1f909941aec2732039d28a9034 - - d6eb76f8a2184688489fc3a611d80de36ef50877 - - 0f397d4e145fb4053792d42b3424dd2143fb23ad - - ba613c5a847ff30d312726eeff444714f8e31cde - - 445bebc1b16b1f2646a3cae841fe0e1266d79ada - - e2ed997ae5b675fc8e78e7d0f9e6918c8b87503c - - 3b95acdfa1e54de15cae2fc3083147a185a31792 - - cacc15360ec04abb4c45f918e83bf33203946e32 - - 09809b551ce9f05e96fc3055ae7a23329604415b - - 2a9511a0266afd48251609a03533094afe22fce2 - - b6cf7a6c8520fd21e75f8b3becec6dc355d844b0 - - fc3981ea5c10fb21cae6d6a8e78755be5b169999 - - dc34fe188385f42198997f6aedc170487c57c7eb - - e9f8f8528abef64b8e1b8bc046a008b009ab2417 - - fe9f7668957641a404b0d2c8850f104df591e7f2 - - 8da9c6878fa29f33dcfd74b1146d457a576d738a - - 4622c8ac9541790365eda22b6ce65d038f4026fe - - 3977c892e78d91a0c6d2a34fd2512a6c53c8d924 - - 1bd146ed82f771395f991851f7d896d9ae778f3c - - 77085907a44039fe1cf9fe24d9c7675aa53d2f9b - - 107bad0ee5141bb847257a6f57dff2469dd584da - - 2da159823d0a54756308e73dc0e58a420daffad4 - - 94fb37f5573e1484ba686b195079684cace18eb0 - - 5c6332687d5d7c902cdd954e4e6a107ed6c60848 - - 8b77eba9a6b506c71d1542d2fab1495249a7f7b6 - - da32455210de558c829f089e8c3a3d1ed8c34a5b - - e1c14b3ca245fd06ef538005cd3a250904be5b4c - - f0d1a8fc27830b899c5789ba2f80dfa9458792a4 - - 846e522ffc157c12ba244c2c8a2c6adb1ed789f7 - - 2a452c17aa2417cd89b5e25e8549f9e09c94a0dc - - 3cd416efe1e5b7d1679a20a91a73d757d481633b - - e0de51f53c6b2711f39f4f29eb58b63a9ebf2c5c - - f7837f4f717a9f09cf34fc325061ee8e38d1100a - - 13a5703d853fbd311e1fcfc5c95d459021781951 - - 2aebf7d849e47ca927de332b82983ba8fe03d062 - - 56bc1485df0ac0c2fe8ae5e0499e50a0580f2522 - - 8d0f911e1d9265a8f362a7a16b893f7c40aee434 - - dc82e30089dbba31a1d0cf459321486a9b546fa0 - - 4d863b7bd0d7da6ca1108031fd7d7997bf504496 - - 73ba097bf596249068513559225d6e18c1767b47 - - da109f3af037352af24f935b1ea57ba8a7f26cad - - 3c52181f613353cc3b8aefbbf637c15a11cb8242 - - c96cde4e5db0da7e798e2712c2312f2468720a98 - - 52a8c004ca94cf98f6866536de828c71eb42d1ec - - b89112c542edcc9cf5af75694c16af28a3e4f12b - - c099a20eb8bd084c17d9348bd0f6bef066ea514f - - 8067e34ec01588d2952d57e21c8c637fd3d3d114 - - 9d4f6b3d3d4feba35ea13097be415bf099b670ce - - 334b1963711b743bf014502c5513a82a23eb65cc - - 190e50b08dbd72fd1d9f21f20581fa27a498481c - - 4c43b0f49880840966cb5df13abeeb19aa8e16d7 - - 9946e299af9e911a54c83626f245dff20127e442 - - 9825a26db570697e058a4580ec3b71ab3d82fc24 - - f8daab8a96fe2c73974073696d00deb4ffb40d47 - - 88989e66d3a1ab960deb37f3dd7f824d85e1b9bc - - c5eef904604b7e22083927bb99ea0c196d4cb8b9 - - 4661c239dc6394aba960ba73144f2a7e3859537f - - 9303a8f15f6e55931a08542636922c1bf041ad52 - - 9d91f080ced0bbfcbd3c003e2a20c9cdc81bc4ff - - 99233fde8c4f58853a474a5831ef0bcf6bf866c5 - - 14a7d2f468404e25577dced6982248e80ddce79a - - b6a1b889852cd6b365833ce2b04a0c1092867f75 - - 5d6c507d7cfeff97172deedf3db13b5295bcacef - - b89cd0cf5cf5deec2ed6fdc0d8ed4e4f3167aeb4 - - be02944484da197166020d6b3f08a19d7d7d244c - - c37b9125ecaad0c100b6851baacf97adfa2339d6 - - 045e9ae4a0fa8bff397b3c4f2614a3e609e6dd66 - - 9744d72c740dd8cdfbb8cb4c58fb235355e0a0b4 - - 74005ed4e0cdbc87ce40c6b79edfd599ba2355e9 - - 1d7207079fc6ab5b2cbfedda3fc8993bc4441b02 - - 8961fd20e6e213bf967db90166e24d38da065807 - - dd5576b2b3f5667811f882d1f64a11e13164791a - - 8600e6f3158bafe927706f0613c1520971d16c32 - - e9c1b0144ae784df9d26f59bfadd8cb2fc3a1d69 - - 6423c8d2613e5130e9c37620773d2173c76f0acd - - b48acf4613cc5347ca10b6d6edd6e1b94a5378c4 - - 6c285c1d4964662ac64f0b98620d154caf423d79 - - 312f997de638b8c18f92a59596a984bdb1a06a4e - - 11d14f2621370a527d2401c8bba10d2408819131 - - a6044b701c166fe538fc760f9e2dcea3d737cd2a - - 91a3f162afc90339b1d8f8d2f22d9c4271eddb84 - - 54301f55934f42598b8f7c88effc4bd588e5f3e7 - - 29f5cb6b391eea625c512df1f2ae7d9efccfbae9 - - 087caf69e8cabd8f1f66f6239079b60172c9fb78 - - 21ed4766b1523373b0463af497ef1c6b3b98c2ca - - 30b33064169e09e1c5daacb38ed461ed5820d0d2 - - a8a798a7c9b1da5beea8acfec16409d015ad85a7 - - a4f2e1e1878c1ce541aec24e6e2a690855cc8003 - - d06a2dab9f185c8cd2c21c0c97342cbdb7b9f38b - - 12a63757dbde3b0be25b49bc9e7625059088d319 - - 35ae1c48710ff5a4db20645bc98c719cfb695b9a - - 85cd86999f70339509692b92cf182ec36697edcf - - 10d49f830b52ed05d9b41e18c8e1ff4a44a85fb3 - - 3f35b26b8b2dcd856b12b985f9091260d5c5bd71 - - 1a37242fa2af5db30ea72b95f948285efcd63d52 - - b49bd705dcddd496aedb6e797ce8691d276236af - - eb2ae34c80f6b8ffb1bdfc55287d967c6e18cd81 - - 39fbf0a90423a1e6e31c6c042acd9aea00793a18 - - d658fb8a2566cab11600af4db164c5f1f8656116 - - f4cf808a3d184c556a51cd53d98a2f4ea05acee4 - - bdff595cad6a42ba9675f99505bebecdb28209f0 - - 9377591781a5346ed84517688787c305ed6554c4 - - 19099e065da7c810f93e83d68c0776c2336e5e03 - - a1ac9b101571477a81e1cb3c6999f818bbbf0738 - - 54968f68bc2ba50f59a66fba9f6823215a0bc4f6 - - 9455a8ce3aaccceb4c282ef6c84d7edb36dd0d4c - - 21c344a479a8fd359a9c875f3056a7e72fe4d5fb - - 00abcf89d9ad026ddce4af0038db7953b01d8b8b - - 1a246dd54326124df57cb0e8e051f57abb549c9f - - 07db66a6ef857edee2c731d1b66f42a4f32d9622 - - d4867a6583c17001a60590684d91237a580e786a - - 46573774a27c7a4d20d508f1f07ba72d34616bc3 - - 9184d9473d7b5ecb0dddca4052171534523602be - - f6593810da73cf8e1cc982d9020850260fc1ff52 - - a9442e6660e71fd2058310e6155de3ef5e4f5fdf - - cee97cb0ccad90c369b10d6a9512d678a0535cac - - aaca2848a1e1eefa71ce2987b19abae2d34cf3aa - - 3125b53b1aef485ed2239d514b131ef80ad577c1 - - 2990f254f030e62ab15b9399e26368aa3e291d15 - - b19b8a9677ae9e657e0195ac85a4849a67729cf6 - - e3b14402ebded2a7ec8f38809bf907ac72692ede - - 37d229d0262b6fa7dfb96184eff3f7882ddd487e - - 8002fd226367c0882973c69673bf8379df2fc198 - - a1c3e0db94579f59cc821132f958187339e68d88 - - 4fdec5a8e10f95a5dbfd84cf382f2755f0342fda - - ef73d7e235c4d4ab41402835193ac9ba0c4cc485 - - ad3d14f1da33d00ee3506f12922fb3faf87b65d7 - - a1d509759b9195a1c022f2eb9585b74d07a0f084 - - b7e54b0b41757cd36dd03fb29367b385c5fa3be0 - - d909440c48b7b64b016478de1e6ee78e2faa9e13 - - 2ca9dc306e8c667eb9f00376898be52d8b980c88 - - 031524c73df6fd40b13e89c44e86d4a62d77075b - - 6fae0d4fa68a85a1d552c5ae3140dd39f7a05c88 - - fb27b4238cd6c33bd899e240ead4b5fb8a2a24b1 - - 0890cc54a92627c03119654c94c584a2e3c744ca - - 339edce03ed7fe59ec4a778abff243fa4cabaa23 - - 2329014b6dbc473326291fa6e101e6d63c4dbd25 - - 872663148e00c4d272fc67e8d369a5012ccbac5a - - 0e3b1262a168d51512014c4f7df6c37edce0f05d - - 606d9064b0a6abd82da3731fda9f1558ec1f153c - - 4bd39999a06fa1f710daae54c6cc8ca7d5784f58 - - 562cd20d05e0427e6b18daa279a3a5f3b08c889d - - 4bbd44784c7c4eede8e53011a2c4981c16598d1f - - dc4bd4cece9a6de7926e85a09f152fe4697a8bc5 - - 770e2583907fa38e2b78601a90799b6ae7ab15eb - - f34b3b765fb964dee979ac7646b6d609adbeb2ba - - aa10040b570386c1ae311c6245b9e21295b2b83a - - fff015f4094ab80ff2eb4978f8cdb3711187c50a - - 5b2be7d9d8444e0a5b706944c878cd0048ef026a - - 2cd0ee8cf21eecaa9d39d699692284be44cf6ca2 - - 451043367be65468dd96bbf5868af666b25f1663 - - 4fc29224cf362988a741dc07804225f730a326ec - - dd6bc28afb3bafdde93ad7ed9f58b3a0aec2be99 - - 1597c68f7b941fd97881155d7f077852e2914e7b - - e59984353acde7207aa1115e261847bf4ddd9a8f - - ee1000e153e1b7c8f223bb573bb8169d2033f4af - - 1d3b2589d734dc94a1719a3af40b87ed8319f329 - publicationTime: 2015-08-06T00:00:00Z - disclosureTime: 2015-05-18T15:59:00Z - isUpgradable: false - isPatchable: false - isPinnable: false - identifiers: - CVE: - - CVE-2015-3627 - CWE: - - CWE-59 - credit: - - Tõnis Tiigi - CVSSv3: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvssScore: 8.4 - patches: [] - upgradePath: [] - licenses: [] - dependencyCount: 28 - org: - name: atokeneduser - id: 689ce7f9-7943-4a71-b704-2ba575f01089 - licensesPolicy: null - packageManager: govendor Updateamemberintheorganizationrequest: title: Updateamemberintheorganizationrequest type: object