Many vulnerable libs in Lucee preventing use in Government shops
Description
Environment
Attachments
- 12 Dec 2022, 03:43 pm
- 21 Nov 2022, 07:12 pm
Activity
Zac Spitzer 31 May 2023 at 14:27
@Michael Offner the only remaining jar in Lucee core/loader which needs updating is https://luceeserver.atlassian.net/browse/LDEV-1526
Michael Offner 31 May 2023 at 13:41
@Pothys - MitrahSoft can you please find out if we have still remaining some vulnerable libaries with the Lucee build.
IMPORTANT: only jars bundled with Lucee, not jars provided by commandbox.
Zac Spitzer 19 May 2023 at 12:18
https://github.com/lucee/Lucee/commit/359fad9c4937c5682294a2cb975ed70c0ca332df backport commons library updates from 6.0
Zac Spitzer 9 May 2023 at 08:42
https://luceeserver.atlassian.net/browse/LDEV-4470
https://luceeserver.atlassian.net/browse/LDEV-4471
https://luceeserver.atlassian.net/browse/LDEV-1526 (needs custom lucee jar, maven version missing OSGI metadata)
Jamie Jackson 8 May 2023 at 19:02
I came here after I found a large number of vulnerabilities in the Lucee image. Unfortunately, I’m having trouble digesting the details in this ticket. I think the community could use a table that consolidates known information. @Brad Wood 's table in the description is a good start, but it could use some extra columns; e.g., Lucee Ticket, Lucee Fix Version.
Brad, maybe I’m misinterpreting the green text in your table, but at a glance, I don’t think the green lines necessarily align with reality. For example, I’m still seeing a pile of com.fasterxml.jackson.core:jackson-databindissues in 5.3.10.120 (whereas your green rows supposedly designate things that are ostensibly fixed in 5.3.10.
I ran a trivy scan (docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/.trivy_cache:/root/.cache/trivy aquasec/trivy image lucee/lucee:5.3.10.120_upgraded --ignore-unfixed -s HIGH,CRITICAL ) against the Lucee lucee/lucee:5.3.10.120docker image (in which I did OS package updates to clean up the scan a bit), where I still found a bunch of issues.
I also found some previously unreported vulnerabilities.
trivy scan results: https://gist.github.com/jamiejackson/c45b2ca5a37e828e480a5e3c8d8e9004#file-lucee-5-3-10-120_trivy_report-txt
Extra vulnerabilities:
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.hsqldb:hsqldb (hsqldb-1.8.0.jar) │ CVE-2022-41853 │ CRITICAL │ 1.8.0 │ 2.7.1 │ hsqldb: Untrusted input may lead to RCE attack │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41853 │
├─────────────────────────────────────────────────────────────┤ │ │ │ │ │
│ org.hsqldb:hsqldb (lucee.jar) │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────────────────────────────────────────────────────┼─────────────────────┤ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.postgresql:postgresql (org.postgresql.jdbc-42.2.20.jar) │ CVE-2022-21724 │ │ 42.2.20 │ 42.2.25, 42.3.2 │ jdbc-postgresql: Unchecked Class Instantiation when │
│ │ │ │ │ │ providing Plugin Classes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21724 │
│ ├─────────────────────┤ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-26520 │ │ │ 42.3.3 │ postgresql-jdbc: Arbitrary File Write Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-26520 │
│ ├─────────────────────┼──────────┤ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31197 │ HIGH │ │ 42.2.26, 42.3.7, 42.4.1 │ postgresql: SQL Injection in ResultSet.refreshRow() with │
│ │ │ │ │ │ malicious column names │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31197 │
│ ├─────────────────────┼──────────┤ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41946 │ MEDIUM │ │ 42.2.27, 42.3.8, 42.4.3, 42.5.1 │ Information leak of prepared statement data due to insecure │
│ │ │ │ │ │ temporary file permissions... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41946 │
│ ├─────────────────────┤ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-673j-qm5f-xpv8 │ │ │ 42.3.3 │ pgjdbc Arbitrary File Write Vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-673j-qm5f-xpv8 │
└─────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴──────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘Details
Assignee
Pothys - MitrahSoftPothys - MitrahSoftReporter
Brad WoodBrad WoodPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
Details
Details
Assignee
Reporter
Priority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
In a recent security scan of a Lucee 5.3.9.160 server, the following libraries were reported as vulnerable, preventing us from getting approval to use Lucee. Here is the unique list of affected libraries
com.google.guava.failureaccess-1.0.1.jar
hibernate-3.5.5.0007L.jar
jackson-mapper-asl-1.9.13.jar
metadata.extractor-2.8.1.0002L.jar
net.lingala.zip4j-2.9.0.jar - Fixed in 5.3.10
org.apache.commons.codec-1.9.0.jar
org.apache.commons.collections-3.2.1.jar - This is used by Hibernate 3.5.5
org.apache.poi-2.5.1.jar
org.apache.tika.core-1.27.0.jar - Fixed in 5.3.10
org.lucee.ehcache-2.10.3.jar - Fixed in 5.3.10
org.lucee.httpcomponents.httpclient-4.5.10.0002L.jar
There is a mix of critical, high, medium, and low vulnerabilities found-- 161 in all! Attached is a CVE file with the full list of vulnerabilities present in Lucee’s libs. This needs a high priority in the LTS versions of Lucee in order to not prevent continued adoption in secure environments.
Update: rows marked in green SHOULD be resolved in Lucee 5.3.10.
Identifier
Severity
Package
Package Path
CVE-2015-7501
Critical
commons-collections_commons-collections-3.2.1
lucee-server/bundles/org.apache.commons.collections-3.2.1.jar
GHSA-fjq5-5j5f-mvxh
Critical
commons-collections-3.2.1
lucee-server/bundles/org.apache.commons.collections-3.2.1.jar:commons-collections
CVE-2018-7489
Critical
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-7658
Critical
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-7657
Critical
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-7657
Critical
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
GHSA-4gq5-ch57-c2mg
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-f3j5-rmmp-3fc5
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-645p-88qh-w398
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-gww7-p5w4-wrfv
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-h592-38cm-4ggp
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-gjmw-vf9h-g25v
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-fmmc-742q-jg75
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-p43x-xfjf-5jhr
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-q93h-jc49-78gg
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-h822-r4r5-v8jg
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-mx7p-6679-8g3q
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-rfx6-vp9g-rh7v
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-85cw-hj65-qqv9
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-6fpp-rgj9-8rwc
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-qxxx-2pp7-5hmx
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-qr7j-h6gg-jmgc
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-cggj-fvv3-cqwv
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-4w82-r329-3q67
Critical
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
CVE-2017-7657
Critical
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2017-7658
Critical
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2017-7657
Critical
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2017-7658
Critical
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2017-7658
Critical
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
GHSA-vgg8-72f2-qm23
Critical
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2017-7658
Critical
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2017-7657
Critical
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2020-25638
High
org.hibernate_hibernate-core-3.5.5
lucee-server/bundles/hibernate-3.5.5.0007L.jar
GHSA-j8jw-g6fq-mp7h
High
hibernate-core-3.5.5-Final
lucee-server/bundles/hibernate-3.5.5.0007L.jar:hibernate-core
CVE-2019-10172
High
data mapper for jackson json processor_jackson-mapper-asl-1.9.13
lucee-server/bundles/jackson-mapper-asl-1.9.13.jar
CVE-2015-6420
High
commons-collections_commons-collections-3.2.1
lucee-server/bundles/org.apache.commons.collections-3.2.1.jar
GHSA-6hgm-866r-3cjv
High
commons-collections-3.2.1
lucee-server/bundles/org.apache.commons.collections-3.2.1.jar:commons-collections
CVE-2017-12626
High
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2020-35491
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2020-35490
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2022-42004
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2022-42003
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2022-2048
High
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2020-36518
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-9735
High
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-7656
High
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2020-10650
High
com.fasterxml.jackson.core_jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2017-7656
High
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2015-2080
High
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
GHSA-9m6f-7xcq-8vf8
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-rpr3-cw39-3pxh
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-qjw2-hr98-qgfh
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-f9xh-2qgp-cq57
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-rgv9-q543-rqg4
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-cjjf-94ff-43w7
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-cf6r-3wgc-h863
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-8c4j-34r4-xr8g
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-h3cw-g4mq-c5x2
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-jjjh-jjxp-wpff
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-5ww9-j83m-q7qx
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-cvm9-fjm9-3572
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-288c-cq4h-88gq
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-89qr-369f-5m5x
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-8w26-6f25-cm9x
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-r695-7vr9-jgc2
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-v585-23hc-c647
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-w3f4-3q6j-rh82
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-9gph-22xh-8x98
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-5949-rw7g-wx7w
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-gwp4-hfv6-p7hw
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-57j2-w4cx-62h2
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-vfqx-33qm-g869
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-m6x4-97wx-4q27
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-r3gr-cxrf-hg25
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-wh8g-3j2c-rqj5
High
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
CVE-2020-27216
High
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2017-7656
High
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2021-28165
High
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2022-2048
High
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2017-9735
High
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2022-2048
High
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2017-9735
High
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2020-27216
High
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2017-7656
High
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
GHSA-26vr-8j45-3r4w
High
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
GHSA-ghgj-3xqr-6jfm
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2022-2048
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2020-27216
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
GHSA-84q7-p226-4x5w
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2021-28165
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2017-9735
High
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2017-7656
High
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2017-9735
High
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2021-28165
High
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2020-27216
High
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2022-2048
High
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2022-30126
Medium
org.apache.tika.core-1.27.0
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-25169
Medium
org.apache.tika.core-1.27.0
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-30973
Medium
org.apache.tika.core-1.27.0
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-30126
Medium
tika-core-1.27
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2022-30973
Medium
tika-core-1.27
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2022-25169
Medium
tika-core-1.27
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2020-13956
Medium
org.lucee.httpcomponents.httpclient-4.5.10.0002l
lucee-5.3.9.160.jar:bundles/org.lucee.httpcomponents.httpclient-4.5.10.0002L.jar
CVE-2022-30973
Medium
org.apache.tika_tika-core-1.27
lucee-5.3.9.160.jar/org.apache.tika.core-1.27.0.jar
CVE-2022-30126
Medium
org.apache.tika_tika-core-1.27
lucee-5.3.9.160.jar/org.apache.tika.core-1.27.0.jar
CVE-2022-25169
Medium
org.apache.tika_tika-core-1.27
lucee-5.3.9.160.jar/org.apache.tika.core-1.27.0.jar
CVE-2019-14900
Medium
org.hibernate_hibernate-core-3.5.5
lucee-server/bundles/hibernate-3.5.5.0007L.jar
CVE-2022-24614
Medium
com.drewnoakes_metadata-extractor-2.8.1
lucee-server/bundles/metadata.extractor-2.8.1.0002L.jar
CVE-2022-24613
Medium
com.drewnoakes_metadata-extractor-2.8.1
lucee-server/bundles/metadata.extractor-2.8.1.0002L.jar
GHSA-4v6p-cxf9-98rf
Medium
metadata-extractor-2.8.1
lucee-server/bundles/metadata.extractor-2.8.1.0002L.jar:metadata-extractor
GHSA-p5pg-wm9q-8v6r
Medium
metadata-extractor-2.8.1
lucee-server/bundles/metadata.extractor-2.8.1.0002L.jar:metadata-extractor
CVE-2022-24615
Medium
net.lingala.zip4j_zip4j-2.9.0
lucee-server/bundles/net.lingala.zip4j-2.9.0.jar
GHSA-q62h-jw38-24vh
Medium
zip4j-2.9.0
lucee-server/bundles/net.lingala.zip4j-2.9.0.jar:zip4j
CVE-2014-3574
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2016-5000
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2014-3529
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2012-0213
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2014-9527
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2017-5644
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2022-26336
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2019-12415
Medium
org.apache.poi-2.5.1
lucee-server/bundles/org.apache.poi-2.5.1.jar
CVE-2022-25169
Medium
org.apache.tika.core-1.27.0
lucee-server/bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-30973
Medium
org.apache.tika.core-1.27.0
lucee-server/bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-30126
Medium
org.apache.tika.core-1.27.0
lucee-server/bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-30126
Medium
tika-core-1.27
lucee-server/bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2022-30973
Medium
tika-core-1.27
lucee-server/bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2022-25169
Medium
tika-core-1.27
lucee-server/bundles/org.apache.tika.core-1.27.0.jar:tika-core
PRISMA-2021-0182
Medium
org.eclipse.jetty_jetty-servlet-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
PRISMA-2021-0182
Medium
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2021-28169
Medium
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2019-10247
Medium
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2019-10241
Medium
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
GHSA-cmfg-87vq-g5g4
Medium
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-mph4-vhrx-mv67
Medium
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
GHSA-fqwf-pjwf-7vqv
Medium
jackson-databind-2.3.3
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jackson-databind
CVE-2021-28169
Medium
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2021-28169
Medium
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2021-28169
Medium
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
GHSA-xc67-hjx6-cgg6
Medium
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
GHSA-7vx9-xjhr-rw6h
Medium
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2021-28169
Medium
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2020-13956
Medium
org.lucee.httpcomponents.httpclient-4.5.10.0002l
lucee-server/bundles/org.lucee.httpcomponents.httpclient-4.5.10.0002L.jar
CVE-2022-33879
Low
org.apache.tika.core-1.27.0
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-33879
Low
tika-core-1.27
lucee-5.3.9.160.jar:bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2022-33879
Low
org.apache.tika_tika-core-1.27
lucee-5.3.9.160.jar/org.apache.tika.core-1.27.0.jar
CVE-2020-8908
Low
com.google.guava.failureaccess-1.0.1
lucee-server/bundles/com.google.guava.failureaccess-1.0.1.jar
PRISMA-2021-0055
Low
commons-codec_commons-codec-1.9
lucee-server/bundles/org.apache.commons.codec-1.9.0.jar
CVE-2022-33879
Low
org.apache.tika.core-1.27.0
lucee-server/bundles/org.apache.tika.core-1.27.0.jar
CVE-2022-33879
Low
tika-core-1.27
lucee-server/bundles/org.apache.tika.core-1.27.0.jar:tika-core
CVE-2021-34428
Low
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2022-2047
Low
org.eclipse.jetty_jetty-io-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2022-2047
Low
org.eclipse.jetty_jetty-http-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
CVE-2021-34428
Low
org.eclipse.jetty_jetty-server-8.1.15
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar
GHSA-cj7v-27pg-wf7q
Low
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2021-34428
Low
jetty-http-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-http
CVE-2022-2047
Low
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
CVE-2021-34428
Low
jetty-io-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-io
GHSA-m6cp-vxjx-65j6
Low
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2022-2047
Low
jetty-server-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-server
CVE-2022-2047
Low
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet
CVE-2021-34428
Low
jetty-servlet-8.1.15.v20140411
lucee-server/bundles/org.lucee.ehcache-2.10.3.jar:jetty-servlet