Vulnerability Description Severity Software Path Fixed By CVE-2019-13990 initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Critical org.quartz-scheduler:quartz 2.2.0 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/quartz-2.2.0.jar 2.3.2 CVE-2021-35515 "When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package." High org.apache.commons:commons-compress 1.19 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jython-standalone-2.7.2.jar 1.21 CVE-2021-35516 "When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package." High org.apache.commons:commons-compress 1.19 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jython-standalone-2.7.2.jar 1.21 CVE-2021-35517 "When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package." High org.apache.commons:commons-compress 1.19 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jython-standalone-2.7.2.jar 1.21 CVE-2021-36090 "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package." High org.apache.commons:commons-compress 1.19 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jython-standalone-2.7.2.jar 1.21 CVE-2022-1471 SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. High org.yaml:snakeyaml 1.33 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/snakeyaml-1.33.jar 2 CVE-2022-44729 "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later." High org.apache.xmlgraphics:batik-transcoder 1.16 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/batik-transcoder-1.16.jar 1.17 CVE-2022-45688 A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. High org.json:json 20180813 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/json-20180813.jar 20230227 CVE-2023-31582 jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less. High org.bitbucket.b_c:jose4j 0.5.5 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jose4j-0.5.5.jar 0.9.3 CVE-2023-43642 "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources." High org.xerial.snappy:snappy-java 1.1.10.1 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/snappy-java-1.1.10.1.jar 1.1.10.4 CVE-2023-5072 Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. High org.json:json 20180813 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/json-20180813.jar 20231013 CVE-2024-21634 "Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with." High software.amazon.ion:ion-java 1.0.2 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/ion-java-1.0.2.jar 1.10.5 CVE-2024-22201 "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6." High org.eclipse.jetty.http2:http2-common 9.4.53.v20231009 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/http2-common-9.4.53.v20231009.jar "10.0.20 11.0.20 9.4.54" CVE-2024-22257 "In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter." High org.springframework.security:spring-security-core 6.2.2 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/spring-security-core-6.2.2.jar "5.7.12 5.8.11 6.1.8 6.2.3" CVE-2024-25710 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue. High org.apache.commons:commons-compress 1.19 usr/local/tomcat/webapps/AFS-admin.war/WEB-INF/lib/jython-standalone-2.7.2.jar 1.26.0