OSS Index Helpclose
An open index of open source

 Welcome to the Maven Start Page

Posted by OSS-Index on May 18, 2016

Quick access to Maven auditing tools, search, and recent Maven activity on OSS Index.

 Recent news...

Maven package vulnerability: jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com

Maven package vulnerability: rabbitmq-jms

Deserialization of untrusted data
Wed Aug 02 18:48:26 EDT 2017

> ObjectMessage#getObject currently would deserialize any value without performing input validation. > > – github.com

Maven package vulnerability: cas-client-core

XML External Entity (XXE)
Wed Aug 02 18:18:13 EDT 2017

SAXParserFactory was introduced without applying XXE mitigation techniques. Secure use of SAXParserFactory can be seen here

Maven package vulnerability: commons-collections

Remote code execution
Mon Jul 31 20:47:54 EDT 2017

> It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable. > > – redhat.com

Maven package vulnerability: swagger-codegen

Remote Code Execution
Mon Jul 31 20:40:30 EDT 2017

> Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base. > > – rapid7.com