Common Vulnerabilities and Exposures (CVE) is a list of common identifiers for publicly known cyber security vulnerabilities. A dependency checker is used on a daily base for all third party libraries present in our products.
This check results in a list of vulnerabilities. Either a vulnerability is valid and will be fixed as soon as possibe or it is a so called "false positive". Due to the way dependency checking works false positives may occur (i.e. a CPE was identified that is incorrect). For each false positive a description is added and comment why we think this is a false positive.
When a vulnerability is valid and a solution is provided we strive to fix this in the next patch. Only after the patch is released we disclose information regarding this vulnerability in the list below.
Known third party vulnerabilities
| CVE | Affected product | Affected version | Resolved version | Details |
|---|---|---|---|---|
| CVE-2022-22965 | BMA | <3.5.7, 4.0.5 | 3.5.7, 4.0.5 | Fixed by upgrading spring boot |
| CVE-2020-36518 | BMA | < 3.5.7, 4.0.5 | 3.5.7, 4.0.5 | Fixed by upgrading jackson-databind |
| CVE-2021-22096 | BMA | < 3.5.4 | 3.5.4 | Fixed by upgrading spring boot |
| BMA | < 3.5.3, 4.0.3 | 3.5.3, 4.0.3 | Fixed by upgrading log4j2 | |
| CVE-2021-42550 | BMA | < 3.5.2, 4.0.2 | 3.5.2, 4.0.2 | Fixed by upgrading spring boot and logback |
| CVE-2021-22096 | BMA | < 3.5.1 | 3.5.1 | Fixed by upgrading spring boot |
| CVE-2021-29425 | BMA | < 3.4.0 | 3.4.0 | Fixed by upgrading commons-io |
| CVE-2020-10693 | BMA | < 3.3.3 | 3.3.3 | Fixed by upgrade hibernate validator and spring boot |
| CVE-2020-8908 | BMA | < 3.3.2 | 3.3.2 | Fixed by upgrading Guava dependency |
| CVE-2020-25649 | BMA | < 3.3.2 | 3.3.2 | Fixed by upgrading Jackson core and databind dependencies |
| CVE-2020-13956 | BMA | < 3.3.2 | 3.3.2 | Fixed by upgrading httpClient dependency |
| CVE-2020-5421 | BMA | < 3.3.2 | 3.3.2 | Fixed by excluding unused transient dependency spring-web |
| CVE-2020-5398 | BMA | < 3.3.2 | 3.3.2 | Fixed by excluding unused transient dependency spring-web |
| CVE-2020-5421 | BMA | < 3.3.2 | 3.3.2 | Fixed by upgrading spring and spring boot |
| CVE-2017-18640 | BMA | < 3.3.2 | 3.3.2 | Fixed by upgrading snakeyaml |
| CVE-2020-9488 | BMA | < 3.3.0 | 3.3.0 | Fixed by upgrading Log4j dependencies |
| CVE-2019-14379 | BMA Sonar Plugin | < 3.0.1 < 2.5.3 | 3.0.1 2.5.3 | Fixed by upgrading Jackson Databind dependency |
| CVE-2019-12814 | BMA Sonar Plugin | < 2.5.1 | 2.5.1 | Fixed by upgrading Jackson Databind dependency |
| CVE-2019-12086 | BMA Sonar Plugin | < 2.5.0 | 2.5.0 | Fixed by upgrading Jackson dependency |
| CVE-2018-15756 | BMA Sonar Plugin | < 2.3.6 | 2.3.6 | Fixed by upgrading to Spring Framework 4.3.22 |
| CVE-2018-14721 | BMA Sonar Plugin | < 2.3.6 | 2.3.6 | Fixed by upgrading jack-databind to version 2.9.8 |
| CVE-2018-14720 | BMA Sonar Plugin | < 2.3.6 | 2.3.6 | Fixed by upgrading jack-databind to version 2.9.8 |
| CVE-2018-14719 | BMA Sonar Plugin | < 2.3.6 | 2.3.6 | Fixed by upgrading jack-databind to version 2.9.8 |
| CVE-2018-14718 | BMA Sonar Plugin | < 2.3.6 | 2.3.6 | Fixed by upgrading jack-databind to version 2.9.8 |
| CVE-2018-10237 | BMA Sonar Plugin | < 2.3.5 | 2.3.5 | Fixed by upgrading google guava to 27.0.1-jre and google guice to 4.2.2 |
| CVE-2018-1270 | BMA Sonar Plugin | < 2.3.2 | 2.3.2 | Fixed by upgrading Spring Framework |
| CVE-2018-1271 | BMA Sonar Plugin | < 2.3.2 | 2.3.2 | Fixed by upgrading Spring Framework |
| CVE-2018-1272 | BMA Sonar Plugin | < 2.3.2 | 2.3.2 | Fixed by upgrading Spring Framework |
| CVE-2018-1275 | BMA Sonar Plugin | < 2.3.2 | 2.3.2 | Fixed by upgrading Spring Framework |
| CVE-2018-11040 | BMA Sonar Plugin | < 2.2.1 | 2.2.1 | Fixed by upgrading to Spring Framework 4.3.18. |
| CVE-2018-11039 | BMA Sonar Plugin | < 2.2.1 | 2.2.1 | Fixed by upgrading to Spring Framework 4.3.18. |
| CVE-2018-1272 | BMA Sonar Plugin | < 2.1.1 | 2.1.2 | Fixed by upgrading to Spring Framework 4.3.16. |
| CVE-2018-1271 | BMA Sonar Plugin | < 2.1.1 | 2.1.2 | Fixed by upgrading to Spring Framework 4.3.16. |
| CVE-2018-1270 | BMA Sonar Plugin | < 2.1.1 | 2.1.2 | Fixed by upgrading to Spring Framework 4.3.16. |
| CVE-2018-1257 | BMA Sonar Plugin | < 2.2.0 | 2.2.0 | Fixed by upgrading to Spring Framework 4.3.17. |
| CVE-2016-5007 | BMA Sonar Plugin | 2.1.1 | 2.1.2 | Fixed by excluding spring-web-4.2.9.jar and spring-webmvc-4.2.9.jar |
| CVE-2018-7489 | BMA Sonar Plugin | 2.1.0 | 2.1.1 | Fixed by upgrading jack-databind to version 2.9.5 |
| CVE-2017-5662 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding batik-css-1.7.jar |
| CVE-2017-14735 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding antisamy-1.4.3.jar |
| CVE-2016-9878 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by upgrading spring-core to 4.3.12 |
| CVE-2016-5007 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by upgrading spring-core to 4.3.12 |
| CVE-2016-3092 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-fileupload-1.2.jar |
| CVE-2016-2510 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding bsh-core-2.0b4.jar |
| CVE-2016-10006 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding antisamy-1.4.3.jar |
| CVE-2016-1000031 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-fileupload-1.2.jar |
| CVE-2015-5262 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-httpclient-3.1.jar |
| CVE-2015-5211 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by upgrading spring-core to 4.3.12 |
| CVE-2015-0250 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding batik-css-1.7.jar |
| CVE-2014-3577 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-httpclient-3.1.jar |
| CVE-2014-0114 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-beanutils-core-1.7.0.jar |
| CVE-2014-0107 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding xalan-2.7.0.jar |
| CVE-2014-0050 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-fileupload-1.2.jar |
| CVE-2013-5960 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding esapi-2.1.0.jar |
| CVE-2013-0248 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-fileupload-1.2.jar |
| CVE-2012-6153 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding commons-httpclient-3.1.jar |
| CVE-2010-0538 | BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding AppleJavaExtensions-1.4.jar |
| BMA Sonar Plugin | 1.0.0 | 1.0.1 | Fixed by excluding AppleJavaExtensions-1.4.jar |
False positives
| CVE | Third party dependency | Description |
|---|---|---|
| CVE-2021-38542 CVE-2021-40110 CVE-2021-40111 CVE-2021-40525 | apache-mime4j-core-0.7.2.jar | The vulnerability is incorrectly matched to the apache-mime4j-core dependency. The vulnerability is matched on the group identifier apache.james for Apache James which does contain these CVE's for version < 3.6 |
| CVE-2021-44228 | log4j-api-2.14.1.jar | The vulnerability is incorrectly matched to the log4j-api dependency, while it only concerns the log4j-core library. We updated the other log4j dependencies that we ship (log4j-api and log4j-to-slf4j) to version 2.15.0 anyway, to avoid any confusion. For more information, see https://www.blueriq.com/en/insights/measures-concerning-log4shell. |
| CVE-2018-8088 | slf4j-api-1.7.25.jar | "org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data." Comment: The slf4j-ext library is affected, but the other slf4j libraries are not. |
| CVE-2015-3448 | unirest-java-1.4.9.jar | "REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords". Comment: rest-client is a Ruby library and does not affect the Java library we use. |
| CVE-2015-1820 | unirest-java-1.4.9.jar | "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information". Comment: rest-client is a Ruby library and does not affect the Java library we use. |
Overview
Content Tools