Page History

May 2026

postgresql-42.7.10.jar

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

42.7.10 and lower

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

11.0.20 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

11.0.20 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026Library upgraded in 2026.01

April 2026

CVE-2026-32990

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.15 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29146

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

11.0.19 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29145

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

11.0.20 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29129

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.18 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-25854

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.18 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-24880

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

11.0.20 and lower

Library upgraded in 2026.01Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2025-66453

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

1.7.14.1 and lower

Library upgraded in 2026.01

April 2026

CVE-2025-70873

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

3.51.1 and lower

Library upgraded in 2026.01

April 2026

CVE-2026-34480

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

2.25.3 and lower

Library upgraded in 2026.01

April 2026

CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Netty is used in FEWS import functionality where it only uses https client functionality to download data, the risk of this becoming targeted by a DoS attack is extremely low.

4.2; versions prior to 4.2.10 

False positive, but updated to 4.2.12Final MAIN(2026.01)

April 2026

CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Netty is used in FEWS import functionality where it only uses https client functionality to download data, the risk of this becoming targeted by a DoS attack is extremely low.

4.2; versions prior to 4.2.10 

False positive, but updated to 4.2.12Final MAIN(2026.01)

March 2026

CVE-2026-24734

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

Tomcat embedded which is part of the FEWS installation is normally not setup for https and should be used only for testing purposes within the protection of a local network so that it should never be exposed to the public internet.

 11.0.1; versions up to (excluding) 11.0.18
 
 
 

False positive, but updated to 11.0.18 in MAIN(2026.01)

March 2026

CVE-2025-66614

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

Tomcat embedded which is part of the FEWS installation is normally not setup for https and should be used only for testing purposes within the protection of a local network so that it should never be exposed to the public internet.

 11.0.1; versions up to (excluding) 11.0.15
 
 
 

False positive, but updated to 11.0.18 in MAIN(2026.01)

January 2026

This is a bug in a reference program demonstrating how to use zlib. This is not a problem in zlib itself.

ioapi.c and untgz.c are in the contrib directory, and so are not part of zlib. You can contact the authors of those codes if you like, but in any case they are not vulnerabilities in zlib.

All

False positive, no action required

January 2026

CVE-2025-6444
CVE-2020-28042

All

False positive, no action required

December 2025

1.21

28.2

28.2

42.6.0

mssql-jdbc.*.jar

Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

12.10.2, 13.2.1, 12.6.5, 11.2.4, 10.2.4, 12.8.2, 12.2.1, and 12.4.3

Upgrade version if MS-SQL is used in branch

client-1.*.*.jar

ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

This library is used only by the Aquaris server import feature and affects only the server side which is a .Net platform based component, Delft-FEWS only uses a java base client component which is not affected.

All

False positive, no action required

protobuf-java-*.jar

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

This warning goes off triggered by un-versioned references to Google Protobuf-java both in the NetCDF-java libraries and in THREDSS as well as a properly patched version protobuf-java-3.25.5.jar in the FEWS binaries. This is considered to be a bug in the OWASP dependency scanner we cannot fix.protobuf-java-*.jar

All

False positive, no action required

jackson-core-2.13.2.jar
jackson-core-2.14.2.jar

Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

In the open-archive users can not input json, in the FEW webservices user input in json format is disabled by default and should only be configured for authenticated users. In FEWS desktop application the user already has access to the system. There for this is not considered a high risk.

2024.01 and earlier

False positive, no action required

Delft_PI.jar

Delft_Util.jar

Delft_NetCDF_Util.jar

Delft_Jep.jar

mydoggy-res-1.4.3p

An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.

Adapters

False positive, no action required

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

This VFS (Virtual File System) library is used only by the data import module of FEWS. The code has been scanned but no calls to the resolveFile method using this specific NameScope are found. Even the possible case where this may be called indirectly should not be a major concern as the file paths used to import data from can only be configured by FEWS configurators and there is no way a remote attacker can interfere with this without first gaining access to the file or database systems used by FEWS in some other way.

2022.01 - current

Upgraded to 
version 2.10.0 in 2025.01 and later branches

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

This is apparently embedded in the swagger test pages provided for testing of the FEWS webservices. These pages should never be open to untrusted/public input. The swagger library has been updated in 2024.02 but this is considered a false positive.

2021.02 - 2024.01

False positive, no action required

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

The current source code of both FEWS and the THREDDS release included with the archive have been checked to find that there is no usage whatsoever of the Apache XML related classes, only the XML related classes currently provided by the Java JDK are used.

False positive

CVE-2024-45801

CVE-2024-47875

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

This is apparently embedded in the swagger test pages provided for testing of the FEWS webservices. These pages should never be open to untrusted/public input so the swagger library has been updated in 2024.02 but this is considered a false positive.

2021.02 - 2024.01

False positive, no action required

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions... A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

FEWS uses the Geotools library, not GeoServer, the WFS (Web Feature server) implementation in FEWS is a 'Simple" profile implementation of the WFS standard which is read-only, does not include XPath expression and does not use the vulnerable gt-complex-x.y.jar library reported here, Therefore this is considered a false positive

2021-02 - current

False positive, no action required

CVE-2024-34447

CVE-2024-29857

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS only allows the use of certificates from a local truststore which is managed by the system administrators, so the scenario where a certificate is "imported does not apply. Therefore we consider this a false positive.

2021.02 - 2024.01

False positive, no action required

CVE-2023-52428

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS does not use the PBKDF2 component for password decryption. Therefore we consider this a false positive.

2022.02 - 2024.01

False positive, no action required

CVE-2022-37434

CVE-2002-0059

CVE-2018-25032

Several security issues in zlib versions 1.2.12 and earlier are reported.

FEWS uses a more recent version (1.2.13 - 1.3.1) but apparently the OWASP dependency checker is not able to detect this, therefore we consider this a false alarm.

2022.02 - current

False positive, no action required

derby-10.16.1.1.jar

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. 

FEWS only uses embedded Derby in local Standalone-installations, embedded Derby does not support LDAP and is not accessible over a network in such configurations. Therefore this warning can safely be discarded as a false positive.

2021.02 - current

False positive, no action required

CVE-2023-36052

CVE-2024-43591

azure-core-*.jar
azure-identity-*.jar

Azure CLI REST Command Information Disclosure Vulnerability

The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update.

2032.02 - current

False positive, no action required

azure-identity-*.jar

Azure Identity SDK Remote Code Execution Vulnerability

Above is the only information supplied

For the current 1.11.0 version we consider this a false alert for a vulnerability that needs to be addressed in the .net based Azure SDK. so it will be suppressed, specifically for CVE-2023-36415

2021.02 - current

zlib1.dll

libz.so.1.2.13

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

The main author, Mark Adler states (github):
Minizip is not part of zlib. The source code is provided in the contrib directory of the zlib distribution, along with several other such contributions, as a courtesy. This is not a zlib vulnerability.
Additionally, zlib.def has been checked to verify that at least the windows version contains no minizip methods.

2022.02 - current

False positive, no action required.

netty-transport-4.1.91.Final.jar

netty-all-4.1.79.Final.jar

A vulnerability was found in the Hot Rod client provided by the Netty library. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
Netty is used by FEWS in the context of Microsoft Azure (AzureIotHub import) and THREDDS which is used by the archive server.

Hot Rod is a very specific TCP client server protocol used by the Jboss Infinispan product. There is no indication of any kind that the Hot Rod protocol is used by FEWS or THREDDS in any way so this is considered a false positive warning.

2020.02 - current

False positive. No action required.

spring-boot-3.0.7.jar

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true:

- The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record

- The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.

- The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.

Two out of three conditions mentioned in the description are not met in the case of FEWS. This library is currently only used for the admin interface, which should never be made available for use by "untrusted sources" over the internet.

2020.02 - 2023.01

False positive. No action required.

gt-26.4.jar
gt-20.0.jar
net.opengis.fes-20.0.jar

The GeoTools implementation of the OpenGIS Filter Encoding Standard (FES) has been found to contain SQL Injection Vulnerabilities when executing OGC Filters with JDBCDataStore implementations.

Delft-FEWS has no such JDBCDataStore implementation and the Filter functionality has been included only to support a client side implementation of the OpenGIS WFS interface. FEWS only uses this to implement OpenGIS WFS viewing capability, no server side WFS or FES implementation that could be prone to SQL injection exists in FEWS.

2019-02 -
2022.02

2023.01 and later have been upgraded to version 2.7.2

False positive, the report mentions that  version 0.5.4 fixes the problem yet the scanners still flags the current version. Also this is only used in adapters where "unspecified vectors" are extremely unlikely to play any role.

Feb 2023

August 2022

postgresql-42.4.1.jar

postgresql-42.3.3.jar

PG 42.3.3 was flagged in Aug 2022.

PG 42.4.1 was flagged only since Feb 2023.

The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. 

2022.01 - 2022.02

False positive. 2022.02 and 2023.01 have been upgraded to 42.5.3.

The spring framework allows to use a http invoker that uses object serialization that may be vulnerable for Remote Code Execution.

https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker. 

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

Comment of Thymeleaf developer: I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered

CVE-2021-42340,

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

2021.02 -
2022.02

CVE-2021-37136,

CVE-2021-37137

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. 

and

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Dependency of ucar netcdf libraries. JDOM  library has been upgraded to: jdom2-2.0.6.1.jar since 2022.01.

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CWE-863 Incorrect Authorization