Coder Social home page Coder Social logo

legend-shared's Introduction

FINOS - Incubating Maven Central Build CI Security Rating Bugs

legend-shared

Shared code used across Legend applications for universal server-side functionality - hosting static files, performing authentication etc.

The important tenets for this project are:

  • Code must be genuinely used by the majority of Legend applications
  • New dependencies must be carefully scrutinized - the goal is to minimize unnecessary dependencies in apps.

Development setup

This application uses Maven 3.6+ and JDK 8. Simply run mvn install to compile.

Roadmap

Visit our roadmap to know more about the upcoming features.

Contributing

Visit Legend Contribution Guide to learn how to contribute to Legend.

License

Copyright 2020 Goldman Sachs

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

legend-shared's People

Contributors

akphi avatar beekemarie avatar dependabot[bot] avatar elopezcastro avatar epsstan avatar finos-admin avatar gs-bracej avatar gs-gunjan avatar gs-manvig avatar hardikmaheshwari avatar ivan-kyosev-gs avatar jinanisha avatar kevin-m-knight-gs avatar maoo avatar markseavers avatar mauriciouyaguari avatar mend-for-github-com[bot] avatar pierredebelen avatar rafaelbey avatar yasirmod17 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

kevin-m-knight-gs agitana akphi cptteddy davidharte-gs fagan2888 aziemchawdhary-gs stjordanis junjikatto rjwinchester markseavers mauriciouyaguari erwin-jeanlouis-gs stephanof maoo hardikmaheshwari emilia-sokol-gs beekemarie gs-gunjan gayathrir11 gs-manvig prateekgarg-gs samjcs rafaelbey jinanisha ivan-kyosev-gs ameertest hausea kwaseth-gs davidsunglee kumuwu elopezcastro epsstan aormerod-gs roasher jayita-m tomwilson-gs shtirlets tanujgirdhar langep-gs hboutemy renuccif shuawest georgewuguangyi horbe cvedetect afine-gs ghub-real aterleto aamend goldmansachs yasirmod17 mateusz-klatt

legend-shared's Issues

CVE-2019-16942 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-16942 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2020-14061 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-14061 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Publish Date: 2020-06-14

URL: CVE-2020-14061

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061

Release Date: 2020-06-14

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

Dependency org.yaml:snakeyaml, leading to CVE problem

Hi, In /legend-shared-pac4j-kerberos,there is a dependency org.yaml:snakeyaml:1.26 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

org.finos.legend.server.pac4j.kerberos.LocalCredentials: getUserId()Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/pac4j/pac4j-config/3.0.0/pac4j-config-3.0.0.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.finos.legend.shared:legend-shared-pac4j-kerberos:jar:0.23.4-SNAPSHOT
[INFO] +- org.pac4j:pac4j-kerberos:jar:3.8.3:compile
[INFO] |  \- org.pac4j:pac4j-core:jar:3.8.3:compile
[INFO] |     \- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:provided
[INFO] +- org.finos.legend.shared:legend-shared-pac4j:jar:0.23.4-SNAPSHOT:compile
[INFO] |  +- org.pac4j:dropwizard-pac4j:jar:3.0.0:compile
[INFO] |  |  +- org.pac4j:pac4j-config:jar:3.0.0:compile
[INFO] |  |  |  \- com.zaxxer:HikariCP:jar:2.7.6:compile
[INFO] |  |  +- org.pac4j:jersey225-pac4j:jar:3.0.0:compile
[INFO] |  |  |  \- org.pac4j.jax-rs:core:jar:3.0.0:compile
[INFO] |  |  |     \- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  \- org.pac4j:j2e-pac4j:jar:4.0.0:compile
[INFO] |  +- org.commonjava.mimeparse:mimeparse:jar:0.1.3.3:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.11.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.2:compile
[INFO] |  |  +- org.yaml:snakeyaml:jar:1.26:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.2:compile
[INFO] |  +- javax.ws.rs:javax.ws.rs-api:jar:2.1.1:compile
[INFO] |  +- com.google.guava:guava:jar:30.0-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  \- org.mongodb:mongo-java-driver:jar:3.12.8:compile
[INFO] \- junit:junit:jar:4.13.1:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

Suggested solutions:

Update dependency version

Thank you very much.

CVE-2019-16943 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-16943 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2019-17531 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-17531 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

CVE-2020-11620 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-11620 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Publish Date: 2020-04-07

URL: CVE-2020-11620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620

Release Date: 2020-04-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

CVE-2019-17267 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-17267 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2460

Release Date: 2019-10-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10

CVE-2020-9546 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-9546 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-14062 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-14062 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Publish Date: 2020-06-14

URL: CVE-2020-14062

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062

Release Date: 2020-06-14

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

CVE-2020-9547 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-9547 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-14195 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-14195 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Publish Date: 2020-06-16

URL: CVE-2020-14195

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195

Release Date: 2020-06-16

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.5

CVE-2019-14893 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-14893 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

CVE-2020-10673 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-10673 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Publish Date: 2020-03-18

URL: CVE-2020-10673

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2660

Release Date: 2020-03-18

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

CVE-2017-18640 (High) detected in snakeyaml-1.23.jar - autoclosed

CVE-2017-18640 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-configuration-1.3.12.jar
        • jackson-dataformat-yaml-2.9.9.jar
          • snakeyaml-1.23.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

Release Date: 2020-03-08

Fix Resolution: 1.26

CVE-2019-14439 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-14439 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

CVE-2020-5245 (High) detected in dropwizard-validation-1.3.12.jar - autoclosed

CVE-2020-5245 - High Severity Vulnerability

Vulnerable Library - dropwizard-validation-1.3.12.jar

Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.

Library home page: http://www.dropwizard.io/1.3.12

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-validation-1.3.12.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Publish Date: 2020-02-24

URL: CVE-2020-5245

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5245

Release Date: 2020-02-24

Fix Resolution: 1.3.19,2.0.2

CVE-2020-10968 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-10968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Publish Date: 2020-03-26

URL: CVE-2020-10968

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968

Release Date: 2020-03-26

Fix Resolution: jackson-databind-2.9.10.4

CVE-2020-11113 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-11113 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Publish Date: 2020-03-31

URL: CVE-2020-11113

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4;2.10.0

CVE-2019-14540 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-14540 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1

CVE-2020-11112 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-11112 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Publish Date: 2020-03-31

URL: CVE-2020-11112

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4,2.10.0

CVE-2019-12814 (Medium) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2341

Release Date: 2019-06-19

Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0

CVE-2020-9548 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-9548 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2019-16335 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-16335 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

CVE-2018-1199 (Medium) detected in spring-core-5.0.2.RELEASE.jar - autoclosed

CVE-2018-1199 - Medium Severity Vulnerability

Vulnerable Library - spring-core-5.0.2.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-pac4j-kerberos/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.0.2.RELEASE/spring-core-5.0.2.RELEASE.jar

Dependency Hierarchy:

  • pac4j-kerberos-3.8.3.jar (Root Library)
    • spring-core-5.0.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1199

Release Date: 2018-03-16

Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework:spring-core:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,4.3.14.RELEASE

CVE-2020-11619 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-11619 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: 2020-04-07

URL: CVE-2020-11619

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619

Release Date: 2020-04-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

CVE-2019-12384 (Medium) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-12384 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-06-24

Fix Resolution: 2.9.9.1

CVE-2020-11111 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-11111 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Publish Date: 2020-03-31

URL: CVE-2020-11111

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4,2.10.0

CVE-2020-8840 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-8840 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2620

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3

CVE-2020-11002 (High) detected in dropwizard-validation-1.3.12.jar - autoclosed

CVE-2020-11002 - High Severity Vulnerability

Vulnerable Library - dropwizard-validation-1.3.12.jar

Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.

Library home page: http://www.dropwizard.io/1.3.12

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-validation-1.3.12.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

Publish Date: 2020-04-10

URL: CVE-2020-11002

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8jpx-m2wh-2v34

Release Date: 2020-04-10

Fix Resolution: io.dropwizard:dropwizard-validation:2.0.3,1.3.21

CVE-2020-24616 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-24616 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Publish Date: 2020-08-25

URL: CVE-2020-24616

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616

Release Date: 2020-08-25

Fix Resolution: 2.9.10.6

CVE-2020-10969 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-10969 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Publish Date: 2020-03-26

URL: CVE-2020-10969

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969

Release Date: 2020-03-26

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.7.9.7

CVE-2018-1272 (High) detected in spring-core-5.0.2.RELEASE.jar - autoclosed

CVE-2018-1272 - High Severity Vulnerability

Vulnerable Library - spring-core-5.0.2.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-pac4j-kerberos/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.0.2.RELEASE/spring-core-5.0.2.RELEASE.jar

Dependency Hierarchy:

  • pac4j-kerberos-3.8.3.jar (Root Library)
    • spring-core-5.0.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: 2018-04-06

Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE

CVE-2020-14060 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-14060 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Publish Date: 2020-06-14

URL: CVE-2020-14060

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060

Release Date: 2020-06-14

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

CVE-2019-14892 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-14892 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2462

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10

CVE-2019-20330 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-20330 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2526

Release Date: 2020-01-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2

CVE-2020-10672 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2020-10672 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

Publish Date: 2020-03-18

URL: CVE-2020-10672

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10672

Release Date: 2020-03-18

Fix Resolution: jackson-databind-2.9.10.4

CVE-2019-14379 (High) detected in jackson-databind-2.9.9.jar - autoclosed

CVE-2019-14379 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/legend-shared/legend-shared-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • dropwizard-assets-1.3.12.jar (Root Library)
    • dropwizard-core-1.3.12.jar
      • dropwizard-jackson-1.3.12.jar
        • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 62738822c73dbb7622269847285b3365329fb9b1

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.