OSS Index Helpclose
An open index of open source

 Welcome to the Maven Start Page

Posted by OSS-Index on May 18, 2016

Quick access to Maven auditing tools, search, and recent Maven activity on OSS Index.

 Recent news...

Maven package vulnerability: node-uuid

Insufficiently Random Values
Fri Nov 17 17:13:35 EST 2017

This package uses math.random, which is insufficient for security purposes.

Maven package vulnerability: jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com

Maven package vulnerability: rabbitmq-jms

Deserialization of untrusted data
Wed Aug 02 18:48:26 EDT 2017

> ObjectMessage#getObject currently would deserialize any value without performing input validation. > > – github.com

Maven package vulnerability: cas-client-core

XML External Entity (XXE)
Wed Aug 02 18:18:13 EDT 2017

SAXParserFactory was introduced without applying XXE mitigation techniques. Secure use of SAXParserFactory can be seen here

Maven package vulnerability: commons-collections

Remote code execution
Mon Jul 31 20:47:54 EDT 2017

> It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable. > > – redhat.com