Share
## https://sploitus.com/exploit?id=AB55E109-1A71-52E8-B6CC-06377E6C6713
# OSV Scanner CVE Detection POC โ€” Vulnerable Java App

> **โš ๏ธ WARNING: This project is intentionally vulnerable. For educational/POC use only. Never use these dependency versions in production.**

## What this is

A Java Maven project with deliberately outdated dependencies, each carrying real CVEs. Used to demonstrate OSV Scanner CVE detection.

## CVEs included

| Dependency | Version | CVE | Severity | Description |
|---|---|---|---|---|
| log4j-core | 2.14.1 | CVE-2021-44228 | ๐Ÿ”ด CRITICAL 10.0 | Log4Shell โ€” JNDI RCE |
| spring-webmvc | 5.3.17 | CVE-2022-22965 | ๐Ÿ”ด CRITICAL 9.8 | Spring4Shell RCE |
| commons-collections | 3.2.1 | CVE-2015-7501 | ๐Ÿ”ด CRITICAL 9.8 | Deserialization RCE |
| spring-web | 5.3.17 | CVE-2016-1000027 | ๐Ÿ”ด CRITICAL 9.8 | HttpInvoker RCE |
| maven-core | 3.8.1 | CVE-2021-26291 | ๐Ÿ”ด CRITICAL 9.1 | Build hijacking |
| commons-beanutils | 1.9.3 | CVE-2019-10086 | ๐ŸŸ  HIGH 7.3 | ClassLoader attack |
| jackson-databind | 2.13.2 | CVE-2022-42003 | ๐ŸŸ  HIGH 7.5 | Resource exhaustion |
| netty-codec-http2 | 4.1.86 | CVE-2023-44487 | ๐ŸŸ  HIGH 7.5 | HTTP/2 Rapid Reset |
| snakeyaml | 1.30 | CVE-2022-25857 | ๐ŸŸ  HIGH 7.5 | YAML DoS |
| httpclient | 4.5.12 | CVE-2020-13956 | ๐ŸŸก MEDIUM 5.3 | URI handling flaw |

## How to run the POC

### Option 1 โ€” Scanner UI (recommended)
Open `scanner-ui/index.html` in your browser and follow the on-screen steps.

### Option 2 โ€” Command line (Windows CMD)
```cmd
osv-scanner.exe scan source --lockfile pom.xml --format json --output-file osv-report.json
```

## Project structure

```
osv-java-poc/
โ”œโ”€โ”€ pom.xml                          โ† vulnerable dependencies (OSV Scanner reads this)
โ”œโ”€โ”€ src/main/java/com/osvpoc/App.java โ† sample Java code using the libraries
โ”œโ”€โ”€ scanner-ui/
โ”‚   โ””โ”€โ”€ index.html                   โ† browser UI to scan and download CSV
โ””โ”€โ”€ README.md
```