René's URL Explorer Experiment


Title: esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #37 · amaybaum-dev/BenchmarkJava · GitHub

Open Graph Title: esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #37 · amaybaum-dev/BenchmarkJava

X Title: esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #37 · amaybaum-dev/BenchmarkJava

Description: 📂 Vulnerable Library - esapi-2.3.0.0.jar The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the ...

Open Graph Description: 📂 Vulnerable Library - esapi-2.3.0.0.jar The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not ...

X Description: 📂 Vulnerable Library - esapi-2.3.0.0.jar The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not ...

Opengraph URL: https://github.com/amaybaum-dev/BenchmarkJava/issues/37

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable)","articleBody":"\u003cdetails\u003e\n  \u003csummary\u003e📂 Vulnerable Library - \u003cstrong\u003eesapi-2.3.0.0.jar\u003c/strong\u003e\u003c/summary\u003e\n\nThe Enterprise Security API (ESAPI) project is an OWASP project\n        to create simple strong security controls for every web platform.\n        Security controls are not simple to build. You can read about the\n        hundreds of pitfalls for unwary developers on the OWASP web site. By\n        providing developers with a set of strong controls, we aim to\n        eliminate some of the complexity of creating secure web applications.\n        This can result in significant cost savings across the SDLC.\n\n\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.3.0.0/esapi-2.3.0.0.jar\n\n\n\u003c/details\u003e\n\n\n# Findings\n| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | **Reachability** |\n| ------------- | ------------- | ---- | --- | ----- | ----- | ----- | --- | --- | --- |\n| [ CVE-106848-507795 ](https://www.mend.io/vulnerability-database/CVE-106848-507795) | 🟣 Critical | 9.8 | N/A | N/A | commons-io-2.6.jar | Transitive | N/A | ❌ | |\n| [ CVE-2019-17571 ](https://www.mend.io/vulnerability-database/CVE-2019-17571) | 🟣 Critical | 9.3 | Not Defined | 43.2% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=20 height=22\u003e Unreachable |\n| [ CVE-2020-9493 ](https://www.mend.io/vulnerability-database/CVE-2020-9493) | 🟣 Critical | 9.3 | Not Defined | \u003c 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=20 height=22\u003e Unreachable |\n| [ CVE-2022-23305 ](https://www.mend.io/vulnerability-database/CVE-2022-23305) | 🟣 Critical | 9.3 | Not Defined | 14.1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2022-23302 ](https://www.mend.io/vulnerability-database/CVE-2022-23302) | 🔴 High | 8.7 | Not Defined | \u003c 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=20 height=22\u003e Unreachable |\n| [ CVE-2022-23307 ](https://www.mend.io/vulnerability-database/CVE-2022-23307) | 🔴 High | 8.7 | Not Defined | \u003c 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaGreen.png' width=20 height=22\u003e Unreachable |\n| [ CVE-2023-24998 ](https://www.mend.io/vulnerability-database/CVE-2023-24998) | 🔴 High | 8.7 | Not Defined | 37.7% | commons-fileupload-1.3.3.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2023-26464 ](https://www.mend.io/vulnerability-database/CVE-2023-26464) | 🔴 High | 8.7 | Not Defined | \u003c 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2025-48734 ](https://www.mend.io/vulnerability-database/CVE-2025-48734) | 🔴 High | 8.7 | Not Defined | \u003c 1% | commons-beanutils-1.9.4.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2021-4104 ](https://www.mend.io/vulnerability-database/CVE-2021-4104) | 🔴 High | 7.7 | High | 73.7% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ WS-2014-0034 ](https://www.mend.io/vulnerability-database/WS-2014-0034) | 🔴 High | 7.5 | N/A | N/A | commons-fileupload-1.3.3.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2020-9488 ](https://www.mend.io/vulnerability-database/CVE-2020-9488) | 🟠 Medium | 6.3 | Not Defined | \u003c 1% | log4j-1.2.17.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n| [ CVE-2021-29425 ](https://www.mend.io/vulnerability-database/CVE-2021-29425) | 🟠 Medium | 6.3 | Not Defined | \u003c 1% | commons-io-2.6.jar | Transitive | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n\n\n# Details\n\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟣CVE-106848-507795\n  \u003c/summary\u003e\n\n### Vulnerable Library - **commons-io-2.6.jar**\n\nThe Apache Commons IO library contains utility classes, stream implementations, file filters,\nfile comparators, endian transformation classes, and much more.\n\n**Library home page:** [ https://www.apache.org/ ](https://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **commons-io-2.6.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Vulnerability Details\n\nCreated automatically by the test suite\n\n**Publish Date:** Jun 07, 2010 05:12 PM\n\n**URL:** [ CVE-106848-507795 ](https://www.mend.io/vulnerability-database/CVE-106848-507795)\n\n**Threat Assessment**\n\nExploit Maturity:N/A\n\nEPSS:N/A\n\n**Score:** 9.8\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** \n\n**Release Date:** \n\n**Fix Resolution :** \n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟣CVE-2019-17571\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThe vulnerable code is unreachable\n***\n\n### Vulnerability Details\n\nIncluded in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.\n\n**Publish Date:** Dec 20, 2019 04:01 PM\n\n**URL:** [ CVE-2019-17571 ](https://www.mend.io/vulnerability-database/CVE-2019-17571)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:43.2%\n\n**Score:** 9.3\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E\n\n**Release Date:** Dec 20, 2019 04:01 PM\n\n**Fix Resolution :** log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟣CVE-2020-9493\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThe vulnerable code is unreachable\n***\n\n### Vulnerability Details\n\nA deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.\n\n**Publish Date:** Jun 16, 2021 07:30 AM\n\n**URL:** [ CVE-2020-9493 ](https://www.mend.io/vulnerability-database/CVE-2020-9493)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 9.3\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://www.openwall.com/lists/oss-security/2021/06/16/1\n\n**Release Date:** Jun 16, 2021 07:30 AM\n\n**Fix Resolution :** ch.qos.reload4j:reload4j:1.2.18.1\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟣CVE-2022-23305\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.reference.DefaultValidator (Extension)\n            - org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)\n                - org.owasp.validator.html.AntiSamy (Extension)\n                    - org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)\n                        - org.owasp.validator.html.scan.AbstractAntiSamyScanner (Extension)\n                            - org.owasp.validator.html.scan.ASHTMLSerializer (Extension)\n                                - org.slf4j.LoggerFactory (Extension)\n                                    - org.slf4j.impl.StaticLoggerBinder (Extension)\n                                        - org.slf4j.impl.Reload4jLoggerFactory (Extension)\n                                            - org.apache.log4j.LogManager (Extension)\n                                                - org.apache.log4j.helpers.OptionConverter (Extension)\n                                                    - org.apache.log4j.PropertyConfigurator (Extension)\n                                                        -\u003e ❌ org.apache.log4j.jdbc.JDBCAppender (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nBy design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\n**Publish Date:** Jan 18, 2022 03:25 PM\n\n**URL:** [ CVE-2022-23305 ](https://www.mend.io/vulnerability-database/CVE-2022-23305)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:14.1%\n\n**Score:** 9.3\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://reload4j.qos.ch/\n\n**Release Date:** Jan 18, 2022 03:25 PM\n\n**Fix Resolution :** ch.qos.reload4j:reload4j:1.2.18.2\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2022-23302\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThe vulnerable code is unreachable\n***\n\n### Vulnerability Details\n\nJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\n**Publish Date:** Jan 18, 2022 03:25 PM\n\n**URL:** [ CVE-2022-23302 ](https://www.mend.io/vulnerability-database/CVE-2022-23302)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 8.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://reload4j.qos.ch/\n\n**Release Date:** Jan 18, 2022 03:25 PM\n\n**Fix Resolution :** ch.qos.reload4j:reload4j:1.2.18.1\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2022-23307\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThe vulnerable code is unreachable\n***\n\n### Vulnerability Details\n\nCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\n\n**Publish Date:** Jan 18, 2022 03:25 PM\n\n**URL:** [ CVE-2022-23307 ](https://www.mend.io/vulnerability-database/CVE-2022-23307)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 8.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/qos-ch/reload4j/issues/21\n\n**Release Date:** Jan 18, 2022 03:25 PM\n\n**Fix Resolution :** ch.qos.reload4j:reload4j:1.2.18.1\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2023-24998\n  \u003c/summary\u003e\n\n### Vulnerable Library - **commons-fileupload-1.3.3.jar**\n\nThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart\n    file upload functionality to servlets and web applications.\n\n**Library home page:** [ https://www.apache.org/ ](https://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **commons-fileupload-1.3.3.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)\n            - org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)\n                -\u003e ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n          new configuration option (FileUploadBase#setFileCountMax) is not\n          enabled by default and must be explicitly configured.\n\n\n\n\n**Publish Date:** Feb 20, 2023 03:57 PM\n\n**URL:** [ CVE-2023-24998 ](https://www.mend.io/vulnerability-database/CVE-2023-24998)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:37.7%\n\n**Score:** 8.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/advisories/GHSA-hfrx-6qgj-fp6c\n\n**Release Date:** Feb 20, 2023 03:57 PM\n\n**Fix Resolution :** commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2023-26464\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.Validator (Extension)\n            - org.owasp.esapi.reference.validation.HTMLValidationRule (Extension)\n                - org.owasp.validator.html.AntiSamy (Extension)\n                    - org.owasp.validator.html.scan.AntiSamyDOMScanner (Extension)\n                        - org.owasp.validator.css.CssScanner (Extension)\n                            - org.apache.hc.client5.http.impl.classic.HttpClientBuilder (Extension)\n                                - org.apache.hc.client5.http.impl.classic.ProtocolExec (Extension)\n                                    - org.slf4j.LoggerFactory (Extension)\n                                        - org.slf4j.impl.StaticLoggerBinder (Extension)\n                                            - org.slf4j.impl.Reload4jLoggerFactory (Extension)\n                                                - org.apache.log4j.LogManager (Extension)\n                                                    - org.apache.log4j.spi.NOPLoggerRepository (Extension)\n                                                        - org.apache.log4j.spi.NOPLogger (Extension)\n                                                            - org.apache.log4j.net.JMSAppender (Extension)\n                                                                - org.apache.log4j.EnhancedPatternLayout (Extension)\n                                                                    - org.apache.log4j.pattern.BridgePatternConverter (Extension)\n                                                                        - org.apache.log4j.pattern.PatternParser (Extension)\n                                                                            -\u003e ❌ org.apache.log4j.pattern.NDCPatternConverter (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\n** UNSUPPORTED WHEN ASSIGNED **\nWhen using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)\nhashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.\nThis issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\n**Publish Date:** Mar 10, 2023 01:38 PM\n\n**URL:** [ CVE-2023-26464 ](https://www.mend.io/vulnerability-database/CVE-2023-26464)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 8.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/advisories/GHSA-vp98-w2p3-mv35\n\n**Release Date:** Mar 10, 2023 01:38 PM\n\n**Fix Resolution :** org.apache.logging.log4j:log4j-core:2.0\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2025-48734\n  \u003c/summary\u003e\n\n### Vulnerable Library - **commons-beanutils-1.9.4.jar**\n\nApache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.\n\n**Library home page:** [ https://www.apache.org/ ](https://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **commons-beanutils-1.9.4.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController (Extension)\n            - org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoader (Extension)\n                - org.apache.commons.configuration.XMLConfiguration (Extension)\n                    - org.apache.commons.configuration.HierarchicalConfiguration$Node (Extension)\n                        - org.apache.commons.configuration.MultiFileHierarchicalConfiguration (Extension)\n                            - org.apache.commons.beanutils.BeanUtils (Extension)\n                                - org.apache.commons.beanutils.BeanUtilsBean (Extension)\n                                    -\u003e ❌ org.apache.commons.beanutils.LazyDynaClass (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nImproper Access Control vulnerability in Apache Commons.\nA special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.\nReleases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().\nStarting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.\nThis issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils\n1.x are recommended to upgrade to version 1.11.0, which fixes the issue.\nUsers of the artifact org.apache.commons:commons-beanutils2\n2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.\n\n**Publish Date:** May 28, 2025 01:32 PM\n\n**URL:** [ CVE-2025-48734 ](https://www.mend.io/vulnerability-database/CVE-2025-48734)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 8.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/advisories/GHSA-wxr5-93ph-8wr9\n\n**Release Date:** May 28, 2025 01:32 PM\n\n**Fix Resolution :** https://github.com/apache/commons-beanutils.git - commons-beanutils-2.0.0-M2-RC1,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-2.0.0-M2,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-1.11.0,org.apache.commons:commons-beanutils2:2.0.0-M2,commons-beanutils:commons-beanutils:1.11.0\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴CVE-2021-4104\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.logging.log4j.Log4JLogger (Extension)\n            - org.apache.log4j.Logger (Extension)\n                -\u003e ❌ org.apache.log4j.net.JMSAppender (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\n**Publish Date:** Dec 14, 2021 12:00 AM\n\n**URL:** [ CVE-2021-4104 ](https://www.mend.io/vulnerability-database/CVE-2021-4104)\n\n**Threat Assessment**\n\nExploit Maturity:High\n\nEPSS:73.7%\n\n**Score:** 7.7\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://nvd.nist.gov/vuln/detail/CVE-2021-4104\n\n**Release Date:** Dec 14, 2021 12:00 AM\n\n**Fix Resolution :** uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🔴WS-2014-0034\n  \u003c/summary\u003e\n\n### Vulnerable Library - **commons-fileupload-1.3.3.jar**\n\nThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart\n    file upload functionality to servlets and web applications.\n\n**Library home page:** [ https://www.apache.org/ ](https://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **commons-fileupload-1.3.3.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)\n            - org.apache.commons.fileupload.servlet.ServletFileUpload (Extension)\n                -\u003e ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nThe class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.\n\n**Publish Date:** Feb 17, 2014 12:13 AM\n\n**URL:** [ WS-2014-0034 ](https://www.mend.io/vulnerability-database/WS-2014-0034)\n\n**Threat Assessment**\n\nExploit Maturity:N/A\n\nEPSS:N/A\n\n**Score:** 7.5\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814\n\n**Release Date:** Feb 17, 2014 12:13 AM\n\n**Fix Resolution :** commons-fileupload:commons-fileupload:1.4\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟠CVE-2020-9488\n  \u003c/summary\u003e\n\n### Vulnerable Library - **log4j-1.2.17.jar**\n\nApache Log4j 1.2\n\n**Library home page:** [ http://www.apache.org ](http://www.apache.org)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **log4j-1.2.17.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.logging.log4j.Log4JLogger (Extension)\n            - org.apache.log4j.Logger (Extension)\n                -\u003e ❌ org.apache.log4j.net.SMTPAppender (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nImproper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1\n\n**Publish Date:** Apr 27, 2020 03:36 PM\n\n**URL:** [ CVE-2020-9488 ](https://www.mend.io/vulnerability-database/CVE-2020-9488)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 6.3\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/advisories/GHSA-vwqq-5vrc-xw9h\n\n**Release Date:** Apr 27, 2020 03:36 PM\n\n**Fix Resolution :** org.apache.logging.log4j:log4j-core:2.3.2,org.apache.logging.log4j:log4j-core:2.12.3,org.apache.logging.log4j:log4j-core:2.13.2,org.apache.logging.log4j:log4j:2.3.2,org.apache.logging.log4j:log4j:2.12.3,org.apache.logging.log4j:log4j:2.13.2\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n 🟠CVE-2021-29425\n  \u003c/summary\u003e\n\n### Vulnerable Library - **commons-io-2.6.jar**\n\nThe Apache Commons IO library contains utility classes, stream implementations, file filters,\nfile comparators, endian transformation classes, and much more.\n\n**Library home page:** [ https://www.apache.org/ ](https://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- esapi-2.3.0.0.jar (Root Library)\n    - ❌  **commons-io-2.6.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.DatabaseHelper (Application)\n    - org.owasp.esapi.ESAPI (Extension)\n        - org.owasp.esapi.reference.DefaultHTTPUtilities (Extension)\n            - org.apache.commons.fileupload.disk.DiskFileItemFactory (Extension)\n                - org.apache.commons.io.FileCleaningTracker (Extension)\n                    - org.apache.commons.io.FileDeleteStrategy (Extension)\n                        - org.apache.commons.io.FileDeleteStrategy$ForceFileDeleteStrategy (Extension)\n                            - org.apache.commons.io.FileUtils (Extension)\n                                -\u003e ❌ org.apache.commons.io.FilenameUtils (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.\n\n**Publish Date:** Apr 13, 2021 06:50 AM\n\n**URL:** [ CVE-2021-29425 ](https://www.mend.io/vulnerability-database/CVE-2021-29425)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 6.3\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** https://github.com/advisories/GHSA-gwrp-pvrq-jmwv\n\n**Release Date:** Apr 13, 2021 06:50 AM\n\n**Fix Resolution :** org.checkerframework.annotatedlib:commons-io:2.7,commons-io:commons-io:2.7\n\n\n\u003c/details\u003e\n\n[comment]: \u003c\u003e (\u003cMEND_ISSUE_METADATA\u003e{\"identifier\":\"esapi-2.3.0.0.jar\",\"repoName\":\"BenchmarkJava\",\"branchName\":\"master\",\"type\":\"SCA_DEP\"}\u003c/MEND_ISSUE_METADATA\u003e)","author":{"url":"https://github.com/mend-developer-platform-dev[bot]","@type":"Person","name":"mend-developer-platform-dev[bot]"},"datePublished":"2025-09-28T05:43:40.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/37/BenchmarkJava/issues/37"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:e248f75e-66c4-908b-7cca-037d5f8f494f
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idB560:1BB425:E8D474:138255C:6A532C2D
html-safe-nonce47f1aca152257ee9751aa4b9cef45820c5b28f2adef334d62b95c0cc6292211e
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNTYwOjFCQjQyNTpFOEQ0NzQ6MTM4MjU1Qzo2QTUzMkMyRCIsInZpc2l0b3JfaWQiOiI1MTU2MjU2NDMzMDU4MDY4OTMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmace7267691ba30517d8cdb01b510aa1405fc1d0a4d76f419b524889df078afdf75
hovercard-subject-tagissue:3461119532
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/amaybaum-dev/BenchmarkJava/37/issue_layout
twitter:imagehttps://opengraph.githubassets.com/17e7ffdb4a233531731b2c7f9b7225b5e0da6135d47116095e4d8104545e0bd2/amaybaum-dev/BenchmarkJava/issues/37
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/17e7ffdb4a233531731b2c7f9b7225b5e0da6135d47116095e4d8104545e0bd2/amaybaum-dev/BenchmarkJava/issues/37
og:image:alt📂 Vulnerable Library - esapi-2.3.0.0.jar The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not ...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamemend-developer-platform-dev[bot]
hostnamegithub.com
expected-hostnamegithub.com
Noneb9a586c06a05a7a86fc7e3f4dbd03e42f6869085879aa184aa6369456dbd50fb
turbo-cache-controlno-preview
go-importgithub.com/amaybaum-dev/BenchmarkJava git https://github.com/amaybaum-dev/BenchmarkJava.git
octolytics-dimension-user_id29013484
octolytics-dimension-user_loginamaybaum-dev
octolytics-dimension-repository_id619308890
octolytics-dimension-repository_nwoamaybaum-dev/BenchmarkJava
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forktrue
octolytics-dimension-repository_parent_id33565372
octolytics-dimension-repository_parent_nwoOWASP-Benchmark/BenchmarkJava
octolytics-dimension-repository_network_root_id33565372
octolytics-dimension-repository_network_root_nwoOWASP-Benchmark/BenchmarkJava
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release07a982c1d40157c619b364352b704c3ce66bb332
ui-targetcanary-2
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/amaybaum-dev/BenchmarkJava/issues/37#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Famaybaum-dev%2FBenchmarkJava%2Fissues%2F37
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/open-source/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/open-source/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/enterprise/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Famaybaum-dev%2FBenchmarkJava%2Fissues%2F37
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=amaybaum-dev%2FBenchmarkJava
Reloadhttps://github.com/amaybaum-dev/BenchmarkJava/issues/37
Reloadhttps://github.com/amaybaum-dev/BenchmarkJava/issues/37
Reloadhttps://github.com/amaybaum-dev/BenchmarkJava/issues/37
Please reload this pagehttps://github.com/amaybaum-dev/BenchmarkJava/issues/37
amaybaum-dev https://github.com/amaybaum-dev
BenchmarkJavahttps://github.com/amaybaum-dev/BenchmarkJava
OWASP-Benchmark/BenchmarkJavahttps://github.com/OWASP-Benchmark/BenchmarkJava
Notifications https://github.com/login?return_to=%2Famaybaum-dev%2FBenchmarkJava
Fork 0 https://github.com/login?return_to=%2Famaybaum-dev%2FBenchmarkJava
Star 0 https://github.com/login?return_to=%2Famaybaum-dev%2FBenchmarkJava
Code https://github.com/amaybaum-dev/BenchmarkJava
Issues 24 https://github.com/amaybaum-dev/BenchmarkJava/issues
Pull requests 9 https://github.com/amaybaum-dev/BenchmarkJava/pulls
Actions https://github.com/amaybaum-dev/BenchmarkJava/actions
Projects https://github.com/amaybaum-dev/BenchmarkJava/projects
Security and quality 0 https://github.com/amaybaum-dev/BenchmarkJava/security
Insights https://github.com/amaybaum-dev/BenchmarkJava/pulse
Code https://github.com/amaybaum-dev/BenchmarkJava
Issues https://github.com/amaybaum-dev/BenchmarkJava/issues
Pull requests https://github.com/amaybaum-dev/BenchmarkJava/pulls
Actions https://github.com/amaybaum-dev/BenchmarkJava/actions
Projects https://github.com/amaybaum-dev/BenchmarkJava/projects
Security and quality https://github.com/amaybaum-dev/BenchmarkJava/security
Insights https://github.com/amaybaum-dev/BenchmarkJava/pulse
esapi-2.3.0.0.jar: 13 vulnerabilities (highest severity is: 9.8) [master] (reachable)https://github.com/amaybaum-dev/BenchmarkJava/issues/37#top
https://github.com/apps/mend-developer-platform-dev
mend-developer-platform-devhttps://github.com/apps/mend-developer-platform-dev
on Sep 28, 2025https://github.com/amaybaum-dev/BenchmarkJava/issues/37#issue-3461119532
CVE-106848-507795 https://www.mend.io/vulnerability-database/CVE-106848-507795
CVE-2019-17571 https://www.mend.io/vulnerability-database/CVE-2019-17571
https://camo.githubusercontent.com/0d8454821575ec09d0c178651af426207e03ce995984bd236a02b2fcb856002e/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f766961477265656e2e706e67
CVE-2020-9493 https://www.mend.io/vulnerability-database/CVE-2020-9493
https://camo.githubusercontent.com/0d8454821575ec09d0c178651af426207e03ce995984bd236a02b2fcb856002e/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f766961477265656e2e706e67
CVE-2022-23305 https://www.mend.io/vulnerability-database/CVE-2022-23305
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2022-23302 https://www.mend.io/vulnerability-database/CVE-2022-23302
https://camo.githubusercontent.com/0d8454821575ec09d0c178651af426207e03ce995984bd236a02b2fcb856002e/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f766961477265656e2e706e67
CVE-2022-23307 https://www.mend.io/vulnerability-database/CVE-2022-23307
https://camo.githubusercontent.com/0d8454821575ec09d0c178651af426207e03ce995984bd236a02b2fcb856002e/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f766961477265656e2e706e67
CVE-2023-24998 https://www.mend.io/vulnerability-database/CVE-2023-24998
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2023-26464 https://www.mend.io/vulnerability-database/CVE-2023-26464
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2025-48734 https://www.mend.io/vulnerability-database/CVE-2025-48734
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2021-4104 https://www.mend.io/vulnerability-database/CVE-2021-4104
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
WS-2014-0034 https://www.mend.io/vulnerability-database/WS-2014-0034
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2020-9488 https://www.mend.io/vulnerability-database/CVE-2020-9488
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
CVE-2021-29425 https://www.mend.io/vulnerability-database/CVE-2021-29425
https://camo.githubusercontent.com/275a4487400571fbc1241101dbe0e5e29fe288995ada2ab7d7f3ffa1f12e8367/68747470733a2f2f7768697465736f757263652d7265736f75726365732e7768697465736f75726365736f6674776172652e636f6d2f7669615265642e706e67
https://www.apache.org/ https://www.apache.org/
CVE-106848-507795 https://www.mend.io/vulnerability-database/CVE-106848-507795
CVE-2019-17571https://github.com/advisories/GHSA-2qrg-x229-3v8q
http://www.apache.org http://www.apache.org
CVE-2019-17571 https://www.mend.io/vulnerability-database/CVE-2019-17571
https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
CVE-2020-9493https://github.com/advisories/GHSA-prp9-9gxw-38j8
http://www.apache.org http://www.apache.org
CVE-2020-9493 https://www.mend.io/vulnerability-database/CVE-2020-9493
https://www.openwall.com/lists/oss-security/2021/06/16/1https://www.openwall.com/lists/oss-security/2021/06/16/1
CVE-2022-23305https://github.com/advisories/GHSA-65fg-84f6-3jq3
http://www.apache.org http://www.apache.org
CVE-2022-23305 https://www.mend.io/vulnerability-database/CVE-2022-23305
https://reload4j.qos.ch/https://reload4j.qos.ch/
CVE-2022-23302https://github.com/advisories/GHSA-w9p3-5cr8-m3jj
http://www.apache.org http://www.apache.org
CVE-2021-4104https://github.com/advisories/GHSA-fp5r-v3w9-4333
CVE-2022-23302 https://www.mend.io/vulnerability-database/CVE-2022-23302
https://reload4j.qos.ch/https://reload4j.qos.ch/
CVE-2022-23307https://github.com/advisories/GHSA-f7vh-qwp3-x37m
http://www.apache.org http://www.apache.org
CVE-2020-9493https://github.com/advisories/GHSA-prp9-9gxw-38j8
CVE-2022-23307 https://www.mend.io/vulnerability-database/CVE-2022-23307
qos-ch/reload4j#21https://github.com/qos-ch/reload4j/issues/21
CVE-2023-24998https://github.com/advisories/GHSA-hfrx-6qgj-fp6c
https://www.apache.org/ https://www.apache.org/
CVE-2023-24998 https://www.mend.io/vulnerability-database/CVE-2023-24998
GHSA-hfrx-6qgj-fp6chttps://github.com/advisories/GHSA-hfrx-6qgj-fp6c
CVE-2023-26464https://github.com/advisories/GHSA-vp98-w2p3-mv35
http://www.apache.org http://www.apache.org
CVE-2023-26464 https://www.mend.io/vulnerability-database/CVE-2023-26464
GHSA-vp98-w2p3-mv35https://github.com/advisories/GHSA-vp98-w2p3-mv35
CVE-2025-48734https://github.com/advisories/GHSA-wxr5-93ph-8wr9
https://www.apache.org/ https://www.apache.org/
CVE-2025-48734 https://www.mend.io/vulnerability-database/CVE-2025-48734
GHSA-wxr5-93ph-8wr9https://github.com/advisories/GHSA-wxr5-93ph-8wr9
https://github.com/apache/commons-beanutils.githttps://github.com/apache/commons-beanutils.git
https://github.com/apache/commons-beanutils.githttps://github.com/apache/commons-beanutils.git
https://github.com/apache/commons-beanutils.githttps://github.com/apache/commons-beanutils.git
CVE-2021-4104https://github.com/advisories/GHSA-fp5r-v3w9-4333
http://www.apache.org http://www.apache.org
CVE-2021-44228https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
CVE-2021-4104 https://www.mend.io/vulnerability-database/CVE-2021-4104
https://nvd.nist.gov/vuln/detail/CVE-2021-4104https://nvd.nist.gov/vuln/detail/CVE-2021-4104
https://www.apache.org/ https://www.apache.org/
WS-2014-0034 https://www.mend.io/vulnerability-database/WS-2014-0034
apache/commons-fileupload@5b4881dhttps://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814
CVE-2020-9488https://github.com/advisories/GHSA-vwqq-5vrc-xw9h
http://www.apache.org http://www.apache.org
CVE-2020-9488 https://www.mend.io/vulnerability-database/CVE-2020-9488
GHSA-vwqq-5vrc-xw9hhttps://github.com/advisories/GHSA-vwqq-5vrc-xw9h
CVE-2021-29425https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
https://www.apache.org/ https://www.apache.org/
CVE-2021-29425 https://www.mend.io/vulnerability-database/CVE-2021-29425
GHSA-gwrp-pvrq-jmwvhttps://github.com/advisories/GHSA-gwrp-pvrq-jmwv
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.