Press CTR-C to copy XML [help]


Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: Bedework json: Basic support for json objects and types

org.bedework:bw-json:2.1.0-SNAPSHOT

Scan Information (show all):

Summary

Summary of Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
bw-base-2.0.0.jarpkg:maven/org.bedework/bw-base@2.0.0 042
bw-util-logging-6.0.0.jarpkg:maven/org.bedework/bw-util-logging@6.0.0 044
bw-util-misc-6.0.0.jarcpe:2.3:a:utils_project:utils:6.0.0:*:*:*:*:*:*:*pkg:maven/org.bedework/bw-util-misc@6.0.0 0Low44
commons-lang3-3.17.0.jarpkg:maven/org.apache.commons/commons-lang3@3.17.0MEDIUM1145
commons-text-1.13.0.jarcpe:2.3:a:apache:commons_text:1.13.0:*:*:*:*:*:*:*pkg:maven/org.apache.commons/commons-text@1.13.0 0Highest73
jackson-core-2.18.2.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.2 0Low47
jackson-databind-2.18.2.jarcpe:2.3:a:fasterxml:jackson-databind:2.18.2:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.18.2:*:*:*:*:*:*:*		pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.18.2 0Highest41

Dependencies (vulnerable)

bw-base-2.0.0.jar

Description:

This project provides base classes, types and methods

License:

Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/org/bedework/bw-base/2.0.0/bw-base-2.0.0.jar
MD5: 0480624145ad4fc5daeba898b7132099
SHA1: b24b7279e0475bb3c8c84e37af400ad87877c955
SHA256:10d27642e3bf1f2f4f85320293b5041b7e34cba02cc2656f29e79f75cee97cc5
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
bw-base-2.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-util-misc@6.0.0

Identifiers

bw-util-logging-6.0.0.jar

Description:

This project provides logging utility classes and methods

License:

Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/org/bedework/bw-util-logging/6.0.0/bw-util-logging-6.0.0.jar
MD5: 2c63b9031e2d0852a00e57753320b409
SHA1: a12c15e6670f1298c8c4779d08b24595e921aceb
SHA256:e26bbaf5a5dcad998990fdc647f448b2e2dcac6eb628be6945fe24d53759b745
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
bw-util-logging-6.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-json@2.1.0-SNAPSHOT

Identifiers

bw-util-misc-6.0.0.jar

Description:

This project provides a number of utility classes and methods

License:

Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/runner/.m2/repository/org/bedework/bw-util-misc/6.0.0/bw-util-misc-6.0.0.jar
MD5: a54be794abde392b2c1f7fb2935ad372
SHA1: ca14c1131c38ac51caa478cb4ea5df738fc6f106
SHA256:a2243c42722fcaa848e6f0fca44634c0c5685e57bb0c2a2d2f394bf9543bd5ae
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
bw-util-misc-6.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-json@2.1.0-SNAPSHOT

Identifiers

commons-lang3-3.17.0.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

  The code is tested using the latest revision of the JDK for supported
  LTS releases: 8, 11, 17 and 21 currently.
  See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
  
  Please ensure your build environment is up-to-date and kindly report any build issues.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.17.0/commons-lang3-3.17.0.jar
MD5: 7730df72b7fdff4a3a32d89a314f826a
SHA1: b17d2136f0460dcc0d2016ceefca8723bdf4ee70
SHA256:6ee731df5c8e5a2976a1ca023b6bb320ea8d3539fbe64c8a1d5cb765127c33b4
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
commons-lang3-3.17.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-util-misc@6.0.0

Identifiers

CVE-2025-48924 (OSSINDEX)  

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a 
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-48924 for details
CWE-674 Uncontrolled Recursion

CVSSv2:
  • Base Score: MEDIUM (6.900000095367432)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.commons:commons-lang3:3.17.0:*:*:*:*:*:*:*

commons-text-1.13.0.jar

Description:

Apache Commons Text is a set of utility functions and reusable components for the purpose of processing
    and manipulating text that should be of use in a Java environment.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/commons/commons-text/1.13.0/commons-text-1.13.0.jar
MD5: 4b4766452c04316e3ef6ffe3490d6b10
SHA1: ba2ed5521c491cabf7ecdb57f77922561c2e8958
SHA256:1e323a501127df78ed0987f345d69d65d0ea7fa3d4fb5b3f84aaeba3a8b20f38
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
commons-text-1.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-util-misc@6.0.0

Identifiers

jackson-core-2.18.2.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.18.2/jackson-core-2.18.2.jar
MD5: bf935e6eca3a57defa13918661905cb0
SHA1: fb64ccac5c27dca8819418eb4e443a9f496d9ee7
SHA256:d8054ae7c0d1c2d2f55d28e46026ebe5892881f3fab5f439233184381c3b4a1f
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
jackson-core-2.18.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-json@2.1.0-SNAPSHOT

Identifiers

jackson-databind-2.18.2.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.18.2/jackson-databind-2.18.2.jar
MD5: 1b56887bcd3eaea1ff710eb673e610b0
SHA1: deef8697b92141fb6caf7aa86966cff4eec9b04f
SHA256:4b364e6850dc89172fcf1d4dd26b8ff5488eda44ff4657e22dd265203dd5ab3c
Referenced In Project/Scope: Bedework json: Basic support for json objects and types:compile
jackson-databind-2.18.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.bedework/bw-json@2.1.0-SNAPSHOT

Identifiers



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.