johndeere / work-tracker Goto Github PK
View Code? Open in Web Editor NEWObserve and protect your Java web application.
License: Apache License 2.0
Observe and protect your Java web application.
License: Apache License 2.0
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10
Step up your Open Source Security Game with WhiteSource here
Please install our new product, Sonatype Lift with advanced features
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
jackson-databind has a potential remote code execution (RCE) vulnerability. in versions 2.7.9.x. 2.8.x < 2.8.11.2. and version 2.9.4--2.9.5.
Publish Date: 2018-12-13
URL: CVE-2018-12023
Type: Change files
Origin: FasterXML/jackson-databind@7487cf7
Release Date: 2018-06-01
Fix Resolution: Replace or update the following file: SubTypeValidator.java
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of org.apache.tomcat.embed:tomcat-embed-core:8.5.37 results in the following vulnerability(s):
Occurrences
org.apache.tomcat.embed:tomcat-embed-core:8.5.37 is a transitive dependency introduced by the following direct dependency(s):
• org.springframework.boot:spring-boot-starter-web:1.5.19.RELEASE
└─ org.springframework.boot:spring-boot-starter-tomcat:1.5.19.RELEASE
└─ org.apache.tomcat.embed:tomcat-embed-core:8.5.37
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.8 results in the following vulnerability(s):
Occurrences
com.fasterxml.jackson.core:jackson-databind:2.9.8 is a transitive dependency introduced by the following direct dependency(s):
• com.fasterxml.jackson.core:jackson-databind:2.9.8
• com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc16-SNAPSHOT
└─ com.fasterxml.jackson.core:jackson-databind:2.9.8
• com.deere.isg.work-tracker:work-tracker-servlet:1.0.0-rc16-SNAPSHOT
└─ com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc16-SNAPSHOT
└─ com.fasterxml.jackson.core:jackson-databind:2.9.8
• com.fasterxml.jackson.core:jackson-databind:2.9.8
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2341
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.10.0 results in the following vulnerability(s):
Occurrences
com.fasterxml.jackson.core:jackson-databind:2.10.0 is a transitive dependency introduced by the following direct dependency(s):
• com.fasterxml.jackson.core:jackson-databind:2.10.0
• com.deere.isg.work-tracker:work-tracker-core:1.1.2
└─ com.fasterxml.jackson.core:jackson-databind:2.10.0
• com.deere.isg.work-tracker:work-tracker-servlet:1.1.2
└─ com.deere.isg.work-tracker:work-tracker-core:1.1.2
└─ com.fasterxml.jackson.core:jackson-databind:2.10.0
• com.fasterxml.jackson.core:jackson-databind:2.10.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of org.springframework:spring-webmvc:4.2.2.RELEASE results in the following vulnerability(s):
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
logback-classic module
path: /root/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar
Library home page: http://logback.qos.ch/logback-classic
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: 2017-03-13
URL: CVE-2017-5929
Base Score Metrics:
Type: Change files
Origin: victims/victims-cve-db@94745e0
Release Date: 2017-03-15
Fix Resolution: Replace or update the following file: 5929.yaml
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Publish Date: 2018-01-10
URL: CVE-2017-17485
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@2235894
Release Date: 2017-12-19
Fix Resolution: Replace or update the following files: SubTypeValidator.java, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.
This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.
General data-binding functionality for Jackson: works on core streaming API
path: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: febe30919c306c0190cbff1a9814975949559fd1
jackson-databind has a potential remote code execution (RCE) vulnerability in versions < 2.7.9.4.
2.8.x < 2.8.11.2. 2.9.x < 2.9.6
Publish Date: 2018-12-13
URL: CVE-2018-12022
Type: Change files
Origin: FasterXML/jackson-databind@28badf7
Release Date: 2018-06-08
Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /work-tracker/work-tracker-servlet/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 598e8b97e048d427d79fc212d469bcbed6fee8d6
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1039769
Fix Resolution: The vendor issued a fix (2.8.11.1, 2.9.4).
The vendor advisories are available at:
FasterXML/jackson-databind#1680
FasterXML/jackson-databind#1723
FasterXML/jackson-databind#1737
FasterXML/jackson-databind#1855
FasterXML/jackson-databind#1899
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0.pr1
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: febe30919c306c0190cbff1a9814975949559fd1
jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6
Publish Date: 2018-12-13
URL: CVE-2018-11307
Type: Change files
Origin: FasterXML/jackson-databind@27b4def
Release Date: 2018-05-11
Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION
Step up your Open Source Security Game with WhiteSource here
This would require a bit of research in how to make the servlet aware of HandlerInterceptors or use inheritance in the filters. Currently for /lbClassicStatus and for /health/outstanding there's no logStart.
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@038b471
Release Date: 2018-01-22
Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of org.springframework:spring-core:4.2.2.RELEASE results in the following vulnerability(s):
Occurrences
org.springframework:spring-core:4.2.2.RELEASE is a transitive dependency introduced by the following direct dependency(s):
• org.springframework:spring-webmvc:4.2.2.RELEASE
└─ org.springframework:spring-core:4.2.2.RELEASE
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Publish Date: 2018-02-26
URL: CVE-2018-7489
Base Score Metrics:
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041890
Fix Resolution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2018.
The vendor advisory is available at:
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Publish Date: 2019-06-24
URL: CVE-2019-12384
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
Release Date: 2019-08-12
Fix Resolution: 2.9.9.1
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
ch.qos.logback:logback-classic
, ch.qos.logback:logback-core
)org.springframework.boot:spring-boot-maven-plugin
, org.springframework.boot:spring-boot-starter-test
, org.springframework.boot:spring-boot-starter-web
)org.springframework:spring-test
, org.springframework:spring-webmvc
).github/workflows/codeql.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
github/codeql-action v2
.github/workflows/maven.yml
actions/checkout v3
actions/setup-java v3
pom.xml
org.apache.maven.plugins:maven-gpg-plugin 3.0.1
org.mockito:mockito-core 2.28.2
junit:junit 4.13.2
org.assertj:assertj-core 3.24.2
org.apache.maven.plugins:maven-plugin-plugin 3.8.1
org.apache.maven.plugins:maven-source-plugin 3.2.1
org.apache.maven.plugins:maven-jar-plugin 3.3.0
org.sonatype.plugins:nexus-staging-maven-plugin 1.6.13
org.codehaus.groovy.maven:gmaven-plugin 1.0
com.mycila.maven-license-plugin:maven-license-plugin 1.9.0
org.apache.maven.plugins:maven-compiler-plugin 3.11.0
org.apache.maven.plugins:maven-javadoc-plugin 3.5.0
org.apache.maven.plugins:maven-release-plugin 2.5.3
org.apache.maven.plugins:maven-deploy-plugin 3.1.0
org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1
com.puppycrawl.tools:checkstyle 10.9.3
org.jacoco:jacoco-maven-plugin 0.8.8
org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1
com.deere.isg:clock 3.1.0
org.slf4j:slf4j-api 1.7.25
net.logstash.logback:logstash-logback-encoder 7.3
com.fasterxml.jackson.core:jackson-databind 2.14.2
ch.qos.logback:logback-core 1.2.3
ch.qos.logback:logback-classic 1.2.3
javax.servlet:javax.servlet-api 4.0.1
javax.servlet:javax.servlet-api 4.0.1
org.springframework.boot:spring-boot-starter-web 1.5.22.RELEASE
com.fasterxml.jackson.core:jackson-databind 2.14.2
org.codehaus.groovy:groovy-all 2.4.8
org.springframework.boot:spring-boot-starter-test 1.5.22.RELEASE
org.springframework:spring-webmvc 4.3.30.RELEASE
javax.servlet:javax.servlet-api 4.0.1
org.codehaus.groovy:groovy-all 2.4.8
org.springframework:spring-test 4.3.30.RELEASE
work-tracker-core/pom.xml
com.deere.isg:outstanding 1.2.0
javax.annotation:javax.annotation-api 1.3.2
org.lucee:oswego-concurrent 1.3.4
work-tracker-servlet/pom.xml
org.lucee:oswego-concurrent 1.3.4
javax.annotation:javax.annotation-api 1.3.2
work-tracker-spring-boot/pom.xml
org.springframework.boot:spring-boot-maven-plugin 1.5.22.RELEASE
org.apache.maven.plugins:maven-jar-plugin 3.3.0
work-tracker-spring/pom.xml
org.apache.maven.plugins:maven-jar-plugin 3.3.0
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: work-tracker/work-tracker-servlet/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,pository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,pository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 32c09f1d1008114cfae0c04be389d731f04eae6a
Found in base branch: master
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2589
Release Date: 2020-12-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml
Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af?diff=unified#diff-98084d808198119d550a9211e128a16f
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Change files
Origin: FasterXML/jackson-databind@87d29af
Release Date: 2018-08-16
Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.9 results in the following vulnerability(s):
Occurrences
com.fasterxml.jackson.core:jackson-databind:2.9.9 is a transitive dependency introduced by the following direct dependency(s):
• com.fasterxml.jackson.core:jackson-databind:2.9.9
• com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc17
└─ com.fasterxml.jackson.core:jackson-databind:2.9.9
• com.deere.isg.work-tracker:work-tracker-servlet:1.0.0-rc17
└─ com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc17
└─ com.fasterxml.jackson.core:jackson-databind:2.9.9
• com.fasterxml.jackson.core:jackson-databind:2.9.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.