Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: com.github.pmonks/bvpbot 1.0.20250708

Scan Information (show all):

Summary

Summary of Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
aero-1.1.6.jarpkg:maven/aero/aero@1.1.6 017
asm-9.2.jarpkg:maven/org.ow2.asm/asm@9.2 052
camel-snake-kebab-0.4.3.jarpkg:maven/camel-snake-kebab/camel-snake-kebab@0.4.3 012
cheshire-6.0.0.jarpkg:maven/cheshire/cheshire@6.0.0 019
clj-2253-0.1.0.jarpkg:maven/org.clojars.pmonks/clj-2253@0.1.0 012
clojure-1.12.1.jarcpe:2.3:a:clojure:clojure:1.12.1:*:*:*:*:*:*:*pkg:maven/org.clojure/clojure@1.12.1 0Highest22
clojure.java-time-1.4.3.jarcpe:2.3:a:time_project:time:1.4.3:*:*:*:*:*:*:*pkg:maven/clojure.java-time/clojure.java-time@1.4.3 0Highest17
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4HIGH1Highest167
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest83
commons-digester-2.1.jarpkg:maven/commons-digester/commons-digester@2.1 097
commons-logging-1.3.2.jarpkg:maven/commons-logging/commons-logging@1.3.2 0128
commons-validator-1.9.0.jarpkg:maven/commons-validator/commons-validator@1.9.0 0129
core.async-1.8.741.jarpkg:maven/org.clojure/core.async@1.8.741 021
core.cache-1.1.234.jarpkg:maven/org.clojure/core.cache@1.1.234 017
core.memoize-1.1.266.jarpkg:maven/org.clojure/core.memoize@1.1.266 017
core.specs.alpha-0.4.74.jarcpe:2.3:a:alex_project:alex:0.4.74:*:*:*:*:*:*:*pkg:maven/org.clojure/core.specs.alpha@0.4.74 0Low17
data.json-2.3.1.jarpkg:maven/org.clojure/data.json@2.3.1 019
data.priority-map-1.2.0.jarpkg:maven/org.clojure/data.priority-map@1.2.0 014
discljord-1.3.1.jarpkg:maven/com.github.discljord/discljord@1.3.1 012
embroidery-1.0.44.jarpkg:maven/com.github.pmonks/embroidery@1.0.44 020
gniazdo-1.2.2.jarpkg:maven/stylefruits/gniazdo@1.2.2 017
hato-1.0.0.jarpkg:maven/hato/hato@1.0.0 017
http-kit-2.8.0.jarpkg:maven/http-kit/http-kit@2.8.0 021
jackson-core-2.18.3.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.18.3:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.3 0Low46
jackson-dataformat-cbor-2.18.3.jarcpe:2.3:a:fasterxml:jackson-dataformats-binary:2.18.3:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor@2.18.3 0Low38
jcl-over-slf4j-2.0.17.jarpkg:maven/org.slf4j/jcl-over-slf4j@2.0.17 030
jetty-io-9.4.57.v20241219.jarcpe:2.3:a:eclipse:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.57:20241219:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty/jetty-io@9.4.57.v20241219MEDIUM1Highest36
jul-to-slf4j-2.0.17.jarpkg:maven/org.slf4j/jul-to-slf4j@2.0.17 030
linked-1.3.0.jarpkg:maven/frankiesardo/linked@1.3.0 012
log4j-over-slf4j-2.0.17.jarpkg:maven/org.slf4j/log4j-over-slf4j@2.0.17 028
logback-core-1.5.18.jarcpe:2.3:a:qos:logback:1.5.18:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.5.18 0Highest38
markov-chains-0.1.1.jarpkg:maven/rm-hull/markov-chains@0.1.1 012
mount-0.1.23.jarpkg:maven/mount/mount@0.1.23 014
slash-0.6.1-SNAPSHOT.jarpkg:maven/com.github.johnnyjayjay/slash@0.6.1-SNAPSHOT 014
slf4j-api-2.0.17.jarpkg:maven/org.slf4j/slf4j-api@2.0.17 028
spec.alpha-0.5.238.jarpkg:maven/org.clojure/spec.alpha@0.5.238 026
tigris-0.1.2.jarpkg:maven/tigris/tigris@0.1.2 018
tools.analyzer-1.2.0.jarpkg:maven/org.clojure/tools.analyzer@1.2.0 016
tools.analyzer.jvm-1.3.2.jarpkg:maven/org.clojure/tools.analyzer.jvm@1.3.2 017
tools.cli-1.1.230.jarpkg:maven/org.clojure/tools.cli@1.1.230 019
tools.logging-1.3.0.jarcpe:2.3:a:alex_project:alex:1.3.0:*:*:*:*:*:*:*pkg:maven/org.clojure/tools.logging@1.3.0 0Low15
tools.reader-1.5.0.jarpkg:maven/org.clojure/tools.reader@1.5.0 019
websocket-api-9.4.57.v20241219.jarcpe:2.3:a:mortbay_jetty:jetty:9.4.57:20241219:*:*:*:*:*:*pkg:maven/org.eclipse.jetty.websocket/websocket-api@9.4.57.v20241219 0Highest38
websocket-client-9.4.57.v20241219.jarcpe:2.3:a:eclipse:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.57:20241219:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty.websocket/websocket-client@9.4.57.v20241219MEDIUM1Highest38
websocket-common-9.4.57.v20241219.jarcpe:2.3:a:eclipse:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.57:20241219:*:*:*:*:*:*
cpe:2.3:a:websocket-extensions_project:websocket-extensions:9.4.57:20241219:*:*:*:*:*:*		pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.4.57.v20241219MEDIUM1Highest40

Dependencies (vulnerable)

aero-1.1.6.jar

Description:

A small library for explicit, intentful configuration.

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/aero/aero/1.1.6/aero-1.1.6.jar
MD5: b23b46d2bc5fa3b636a2cb40410c1426
SHA1: dc5114c3a8905f61431c4f9dd068a9c919e731ce
SHA256:f4b0a9272da50c8091c5529c9fe355c47234f1eeb95fe92296e2c23f787f3d22

Identifiers

asm-9.2.jar

Description:

ASM, a very small and fast Java bytecode manipulation framework

License:

BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm/9.2/asm-9.2.jar
MD5: 8f184dce9b1bedc675d4a3640d43ddf0
SHA1: 81a03f76019c67362299c40e0ba13405f5467bff
SHA256:b9d4fe4d71938df38839f0eca42aaaa64cf8b313d678da036f0cb3ca199b47f5

Identifiers

camel-snake-kebab-0.4.3.jar

Description:

A library for word case conversions.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/camel-snake-kebab/camel-snake-kebab/0.4.3/camel-snake-kebab-0.4.3.jar
MD5: 4591ec721d8bbe8347ff82ef91c57514
SHA1: 5ae08f83ceb8959971e6334596bff0214bf6fdf2
SHA256:8191f335776310d7857a40ad33254be66adb363806b18136d8843196923ac2c8

Identifiers

cheshire-6.0.0.jar

Description:

JSON and JSON SMILE encoding, fast.

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/cheshire/cheshire/6.0.0/cheshire-6.0.0.jar
MD5: dd6f21162dfb4e478a7823f2fe087d42
SHA1: 8729487bf662aa3c2d69b8b0c17687a06184de3b
SHA256:6b2dc65f5a80eb63088c9794aa4984785abda884a48c07de43e713632ada0df7

Identifiers

clj-2253-0.1.0.jar

Description:

A workaround for https://dev.clojure.org/jira/browse/CLJ-2253

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/clojars/pmonks/clj-2253/0.1.0/clj-2253-0.1.0.jar
MD5: cbf13845d65489fac031aee4666b230f
SHA1: 72d1f88f05bbc3b1eb468c33815a417faaa49984
SHA256:7409e379bd788541b80b38872ca5668f9695b0214a2898ca78828cb476115d51

Identifiers

clojure-1.12.1.jar

Description:

Clojure core environment and runtime library.

License:

Eclipse Public License 1.0: http://opensource.org/licenses/eclipse-1.0.php
File Path: /home/runner/.m2/repository/org/clojure/clojure/1.12.1/clojure-1.12.1.jar
MD5: 8c3e8e01592478d8296140682a3c8bc5
SHA1: 9280a39f8342673eac582e8909fd4f46026bfd50
SHA256:87eeea9e355d86c045738af494d683e09e914cb0467ae40d46a66b87a36c72d4

Identifiers

clojure.java-time-1.4.3.jar

Description:

Clojure wrapper for Java 8 Time API

License:

MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/clojure/java-time/clojure.java-time/1.4.3/clojure.java-time-1.4.3.jar
MD5: fce88000603ed0dea2be33e0fffa5836
SHA1: 11cea239151350d663d35f03913e07626ca69f01
SHA256:8f7e14031a531c1bc79859f4deabe215f8c15f81d66e09bdf7b4d9749b8325a7

Identifiers

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a

Identifiers

CVE-2025-48734  

Improper Access Control vulnerability in Apache Commons.



A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.





Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.


Users of the artifact org.apache.commons:commons-beanutils2

 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
CWE-284 Improper Access Control, NVD-CWE-Other

CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8

Identifiers

commons-digester-2.1.jar

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d

Identifiers

commons-logging-1.3.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well-known logging systems.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar
MD5: 4b970f3b14a5e53d8e8edff1cf2ecd91
SHA1: 3dc966156ef19d23c839715165435e582fafa753
SHA256:6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489

Identifiers

commons-validator-1.9.0.jar

Description:

    Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
    It may be used standalone or with a framework like Struts.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/commons-validator/commons-validator/1.9.0/commons-validator-1.9.0.jar
MD5: 0adeb5a4d23a33b9c80f5fcb2fa2ab3f
SHA1: 26e49d333890ccad072eb530a85fceb9c07818df
SHA256:c3c14748e2d78db58df88808740711bd643b32c45ffa7b8a739f00fb467cd7d7

Identifiers

core.async-1.8.741.jar

Description:

Facilities for async programming and communication in Clojure

File Path: /home/runner/.m2/repository/org/clojure/core.async/1.8.741/core.async-1.8.741.jar
MD5: cdd5b4b278d48a7e75138f15e90c4902
SHA1: 0568d9b06541900b0dc024ca900092e6b1bde76d
SHA256:288489a4f0e580f43e1913cba842b32959ef01e2d1bc3a01db2e97c79c9c655a

Identifiers

core.cache-1.1.234.jar

Description:

Cache library for Clojure.

License:

Eclipse Public License 1.0: https://opensource.org/license/epl-1-0/
File Path: /home/runner/.m2/repository/org/clojure/core.cache/1.1.234/core.cache-1.1.234.jar
MD5: c74f1627e4c7bc82173ee885049ca95b
SHA1: 4efde969ef1c0659f7b0e6e28c85263d9af01299
SHA256:ba9071044edb7b009288b2c5f800a7dcd918b0f1725c5ba800469238df972f63

Identifiers

core.memoize-1.1.266.jar

Description:

A memoization library for Clojure

License:

Eclipse Public License 1.0: https://opensource.org/license/epl-1-0/
File Path: /home/runner/.m2/repository/org/clojure/core.memoize/1.1.266/core.memoize-1.1.266.jar
MD5: 70a78543850b17e61d8a122e8cb6f4a7
SHA1: e2cc0e3a742723a52e72373aebc556b678909ddc
SHA256:5792a21d6d90a1f5e68d4a10f65607aa21f6c484eb9d1a421cefc1f8ac26f18e

Identifiers

core.specs.alpha-0.4.74.jar

Description:

Specs for clojure.core

License:

Eclipse Public License 1.0: https://opensource.org/license/epl-1-0/
File Path: /home/runner/.m2/repository/org/clojure/core.specs.alpha/0.4.74/core.specs.alpha-0.4.74.jar
MD5: ebd37b9a3c39e6b769fc1463737cb8d4
SHA1: d56a8d4c666ff8140e6d0a62d41263134be39254
SHA256:eb73ac08cf49ba840c88ba67beef11336ca554333d9408808d78946e0feb9ddb

Identifiers

data.json-2.3.1.jar

Description:

Generating/parsing JSON from/to Clojure data structures

File Path: /home/runner/.m2/repository/org/clojure/data.json/2.3.1/data.json-2.3.1.jar
MD5: c40582783bbba064e6d2eab43067c183
SHA1: bccad454332d350fcf088ad65e961b9ed7687b7b
SHA256:ab6fcad6c5a174eecf6424c789064288626bf0434aab6414c9947df26e3ee4e2

Identifiers

data.priority-map-1.2.0.jar

File Path: /home/runner/.m2/repository/org/clojure/data.priority-map/1.2.0/data.priority-map-1.2.0.jar
MD5: 2cfe73a5c938e7fd15d36bcbe29b5918
SHA1: a07772b9f061023198635d1b1425d936507f5ec7
SHA256:a4523626a1ccc4fce0d1efe6df16897fc3e34b58738f0462e4536af17dea02f0

Identifiers

discljord-1.3.1.jar

Description:

A Clojure wrapper library for the Discord API, with full API coverage (except voice, for now), and high scalability.

License:

Eclipse Public License: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/com/github/discljord/discljord/1.3.1/discljord-1.3.1.jar
MD5: 3d3b7aff80ce893282e7eaaadd708061
SHA1: df0e0be3ff5ae9e072b1dfa8422eaa5deb3a3251
SHA256:361fc69812dbf436458f1716afeeb5ae8f7210fc798cd3b3fb27d39449b369aa

Identifiers

embroidery-1.0.44.jar

Description:

A Clojure micro-library for leveraging virtual threads on JVMs that support them.

License:

Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/com/github/pmonks/embroidery/1.0.44/embroidery-1.0.44.jar
MD5: 0141ce9e67e5c76af519e98fc5a8bf5d
SHA1: 0ce7accc8b0fe2fcb13b0e509c322de914390ad2
SHA256:f978771dcca1ef87a0668cee9911882fea462791f20a6166b93edc356d35f152

Identifiers

gniazdo-1.2.2.jar

Description:

A WebSocket client for Clojure

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/stylefruits/gniazdo/1.2.2/gniazdo-1.2.2.jar
MD5: 475a727ac1787ab0afc92e70062de2f5
SHA1: e7eafb16875928396d58c8d62c857d728ef7587a
SHA256:799c9dd0dcb3c6418e72d4e2ef2cb8be12e529db5619e98849b4046adab9129f

Identifiers

hato-1.0.0.jar

Description:

An HTTP client for Clojure, wrapping JDK 11's HttpClient.

License:

The MIT License: http://opensource.org/licenses/mit-license.php
File Path: /home/runner/.m2/repository/hato/hato/1.0.0/hato-1.0.0.jar
MD5: 169f69866f7e0eaf8f5a38ad049bcecf
SHA1: 6a1bea52787ef5419f9d4475bce4997581ee6276
SHA256:6b65a8f6145ec577b015cbfa3703c2d00f5e9f964bc6fca7b71dfc56a4ffe029

Identifiers

http-kit-2.8.0.jar

Description:

Simple, high-performance event-driven HTTP client+server for Clojure

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/http-kit/http-kit/2.8.0/http-kit-2.8.0.jar
MD5: 582d6eef7aba114586e89886a897bf81
SHA1: 92fe1baf9fea00c9b445f889e9bf2222ae22be39
SHA256:c496e6a86fec46b3743dc399edc872e14496d888a84d04c1c84deaa1ed2083ad

Identifiers

jackson-core-2.18.3.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.18.3/jackson-core-2.18.3.jar
MD5: b36e17ef5ba214242b700f8e621e6f12
SHA1: 78f80c259268200e588aa204dd97ecf09b76916e
SHA256:056bc4d3e5e53ce821450fa97b3f9e0f8dde125cf6da6884353bb1f09582e1d9

Identifiers

jackson-dataformat-cbor-2.18.3.jar

Description:

Support for reading and writing Concise Binary Object Representation
([CBOR](https://www.rfc-editor.org/info/rfc7049)
encoded data using Jackson abstractions (streaming API, data binding, tree model)

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.18.3/jackson-dataformat-cbor-2.18.3.jar
MD5: 05eddfbc938fa5d094b44b5f29235c53
SHA1: af8064ba5b2afaf0920943fbfeb6b57f56aad6d8
SHA256:5e9a635c866001a78993f15fe0ff9a92a3e24264287186c26851f1091a36cda7

Identifiers

jcl-over-slf4j-2.0.17.jar

Description:

JCL 1.2 implemented over SLF4J

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.17/jcl-over-slf4j-2.0.17.jar
MD5: 4fcd46ca51e55b9fd9b0db34474927e0
SHA1: 76ea503eb688f06556a9ba69995d7eab63e34531
SHA256:affd06771589ebfe454bb11315a4f466ecaa135b95f3e7939534cf1d2fd7064c

Identifiers

jetty-io-9.4.57.v20241219.jar

Description:

Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.57.v20241219/jetty-io-9.4.57.v20241219.jar
MD5: 886897639125a72cf22a3cb475e93468
SHA1: bd0ca6e5c4314972cd91f427fa09dedfe3b84ff5
SHA256:f6246a2cf0abcee7f0971217c0ce4cd30d8ce15a91530363457113907ab38690

Identifiers

CVE-2024-6763  

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

jul-to-slf4j-2.0.17.jar

Description:

JUL to SLF4J bridge

License:

https://opensource.org/license/mit
File Path: /home/runner/.m2/repository/org/slf4j/jul-to-slf4j/2.0.17/jul-to-slf4j-2.0.17.jar
MD5: a42936c56611e4794c42908fb3d3a647
SHA1: 524cb6ccc2b68a57604750e1ab8b13b5a786a6aa
SHA256:a7afcd23b9cfd1475e55c94f943b808c5922035e7e2c2a5c65a487a4106bc538

Identifiers

linked-1.3.0.jar

Description:

Efficient ordered map and set.

License:

Eclipse Public License: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/frankiesardo/linked/1.3.0/linked-1.3.0.jar
MD5: 116a0e136ec5951eaede8a50d08d2617
SHA1: a9e0a8b3fb028b91b6d46305c629dacd63857e9e
SHA256:f952b1d95a5f5cc105ac8ff96656dd12540d5ea28e31f68e101778820f204d3a

Identifiers

log4j-over-slf4j-2.0.17.jar

Description:

Log4j implemented over SLF4J

License:

Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/log4j-over-slf4j/2.0.17/log4j-over-slf4j-2.0.17.jar
MD5: ec3cf11fe022ffd852ab84e9b8b69a96
SHA1: 55e55c79a0b89ccc9e411049005c02b7514e0cf9
SHA256:cbf30eaf95357ab7babf9be123da9cc702f0fe83b23392b7a62589d60b5862d1

Identifiers

logback-core-1.5.18.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/runner/.m2/repository/ch/qos/logback/logback-core/1.5.18/logback-core-1.5.18.jar
MD5: 10bcea83842beead15f072799b9c923d
SHA1: 6c0375624f6f36b4e089e2488ba21334a11ef13f
SHA256:85139e7b57b464f8e5e36326dd81317648bed199ccc4f98cd42585f8d7571027

Identifiers

markov-chains-0.1.1.jar

Description:

A library (and application examples) of stochastic discrete-time Markov Chains (DTMC) in Clojure

License:

The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/rm-hull/markov-chains/0.1.1/markov-chains-0.1.1.jar
MD5: fe09104ac559adb0da1367b904ce70b7
SHA1: 3fd0d4c4dc53345b1c55f764f27fe157f792d69b
SHA256:441c1da2d134e2ba63d4efbe706f58704edd5cfeb28cd1641c213e04b18bac4f

Identifiers

mount-0.1.23.jar

Description:

managing Clojure and ClojureScript app state since (reset)

License:

Eclipse Public License: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/mount/mount/0.1.23/mount-0.1.23.jar
MD5: e05e8dfcf58c72d3076f4a445b4dcba4
SHA1: 8d25e82c18c07d90a365dbab7abc9ac88d464f58
SHA256:cf71918bc8e44098d9b58a962a9d7a52d38dd1e92fb9149d347aaf35e54a82be

Identifiers

slash-0.6.1-SNAPSHOT.jar

Description:

A library for handling and routing Discord interactions

License:

MIT License: https://mit-license.org
File Path: /home/runner/.m2/repository/com/github/johnnyjayjay/slash/0.6.1-SNAPSHOT/slash-0.6.1-SNAPSHOT.jar
MD5: 767b85763ca68091a9adfb2077b92aae
SHA1: 066e8d320d1c1c713b54df2fd4944ada4a2fe3eb
SHA256:4df07f01e439471f46fbe43dc4bf189fdd27c492177b5d1d222b8c9895d11797

Identifiers

slf4j-api-2.0.17.jar

Description:

The slf4j API

License:

https://opensource.org/license/mit
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.17/slf4j-api-2.0.17.jar
MD5: b6480d114a23683498ac3f746f959d2f
SHA1: d9e58ac9c7779ba3bf8142aff6c830617a7fe60f
SHA256:7b751d952061954d5abfed7181c1f645d336091b679891591d63329c622eb832

Identifiers

spec.alpha-0.5.238.jar

Description:

Specification of data and functions

License:

Eclipse Public License 1.0: https://opensource.org/license/epl-1-0/
File Path: /home/runner/.m2/repository/org/clojure/spec.alpha/0.5.238/spec.alpha-0.5.238.jar
MD5: 9f5ea5239dc04d6a8115add1e4f5f23a
SHA1: 4eb5dea521c4e6e1f68c2c47517f14a922003e60
SHA256:94cd99b6ea639641f37af4860a643b6ed399ee5a8be5d717cff0b663c8d75077

Identifiers

tigris-0.1.2.jar

Description:

Stream-to-stream JSON string encoding

License:

Eclipse Public License: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/runner/.m2/repository/tigris/tigris/0.1.2/tigris-0.1.2.jar
MD5: 5f33b5d6ca167cc92fb782b7d876262c
SHA1: a122db758561d995a83cbb40f252b64d8b0f506e
SHA256:49aa648edb6c14e57095a11b391eaee606578323fb79755f92331ac6300f97a0

Identifiers

tools.analyzer-1.2.0.jar

Description:

An analyzer for Clojure code, written in Clojure and producing AST in EDN

File Path: /home/runner/.m2/repository/org/clojure/tools.analyzer/1.2.0/tools.analyzer-1.2.0.jar
MD5: ddc1a592cfc5ce14a2b848c7523e81d4
SHA1: c74b1c275ff3fc505b1e13dd0fe85c83e8aa202c
SHA256:7801a5a7ef4fd77f560c30a638594447c3aa71ee78b7f088553b7919bd0033bb

Identifiers

tools.analyzer.jvm-1.3.2.jar

Description:

Additional jvm-specific passes for tools.analyzer

File Path: /home/runner/.m2/repository/org/clojure/tools.analyzer.jvm/1.3.2/tools.analyzer.jvm-1.3.2.jar
MD5: 9e5a388bc9ef6f9ab6e3643df0cb45a5
SHA1: 0cf3cb32a9c0d5292645c8ba760f5e502fa0125e
SHA256:d8a2d59205a21281f305f3d5439ffc302182c307f9be962a76ce814a6620693d

Identifiers

tools.cli-1.1.230.jar

File Path: /home/runner/.m2/repository/org/clojure/tools.cli/1.1.230/tools.cli-1.1.230.jar
MD5: 6be3fc082558e75e13151c4e7b86897c
SHA1: 239281e05dcd94d93cacbbd6187b6e8698fd18df
SHA256:916630b539a43ff468b4dd016c62857e2b4cb5da6686f1297587cdd43ca102cd

Identifiers

tools.logging-1.3.0.jar

File Path: /home/runner/.m2/repository/org/clojure/tools.logging/1.3.0/tools.logging-1.3.0.jar
MD5: b6b3c2ffeb27a25eab2d6e0e3a6e6b57
SHA1: 07d45477c1b61230b0d1fcf36afccc02155a4b32
SHA256:826969b78d9ada327de6b7da0f176457d95614fa38c280326610f31a6b515c91

Identifiers

tools.reader-1.5.0.jar

Description:

A Clojure reader in Clojure

License:

Eclipse Public License 1.0: https://opensource.org/license/epl-1-0/
File Path: /home/runner/.m2/repository/org/clojure/tools.reader/1.5.0/tools.reader-1.5.0.jar
MD5: 90aeb9ddb25d485920ff3fd248315d54
SHA1: 4149c49bec1f3614f76b13c0a81797cfabef112e
SHA256:bfc8f709efb843f2ccc4daa93e2842ceb86e7b8d11d5544dc0ee68b6a0f4db3c

Identifiers

websocket-api-9.4.57.v20241219.jar

Description:

Jetty module for Jetty :: Websocket :: API

License:

http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/runner/.m2/repository/org/eclipse/jetty/websocket/websocket-api/9.4.57.v20241219/websocket-api-9.4.57.v20241219.jar
MD5: d077096852f02f01aad40458f3c56eeb
SHA1: f5bc4841162a92f03c285a4860da1e6d4e91ea75
SHA256:5933b3678c9b59552bab900d521deade8bb24c441d3f35db957a87210a478c2d

Identifiers

websocket-client-9.4.57.v20241219.jar

Description:

Jetty module for Jetty :: Websocket :: Client

License:

http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/runner/.m2/repository/org/eclipse/jetty/websocket/websocket-client/9.4.57.v20241219/websocket-client-9.4.57.v20241219.jar
MD5: ecf75c4ff3ac4df4579e723924a3b086
SHA1: e0abf34d0948bf5930424c70023c07fbe7e249fc
SHA256:994a6ce882440d3ce41adae46f60c14ea692faa884fd8e44247f6a955cdeb4fe

Identifiers

CVE-2024-6763  

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:

websocket-common-9.4.57.v20241219.jar

Description:

Jetty module for Jetty :: Websocket :: Common

License:

http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/runner/.m2/repository/org/eclipse/jetty/websocket/websocket-common/9.4.57.v20241219/websocket-common-9.4.57.v20241219.jar
MD5: 489e012f124f04d97b4057f148b8d625
SHA1: 49837e68f8f222f723177b2f260c04d4cdf4c867
SHA256:100cafab74235b3e4a1d9fbb1504bbd51ad2da9a2670c18adc28949a6dc8e61d

Identifiers

CVE-2024-6763  

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other

CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions:



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.