Coder Social home page Coder Social logo

johndeere / work-tracker Goto Github PK

View Code? Open in Web Editor NEW
4.0 13.0 12.0 775 KB

Observe and protect your Java web application.

License: Apache License 2.0

Shell 0.48% Java 99.32% Groovy 0.20%
java java8 sre metadata spring spring-boot elasticsearch mdc observability java11

work-tracker's People

Contributors

averyregier avatar dependabot[bot] avatar evonsdesigns avatar maheshgaya avatar prabinadhikari avatar renovate[bot] avatar ryber avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hemangi maheshgaya liuziquan evonsdesigns collinpeters prabinadhikari sunilsanka michaelweiss092 fossabot averyregier larsondane

work-tracker's Issues

CVE-2019-17267 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-17267 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267

Release Date: 2019-10-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10

Step up your Open Source Security Game with WhiteSource here

CVE-2019-16335 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16335 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10

Step up your Open Source Security Game with WhiteSource here

CVE-2019-16943 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16943 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19362 High Severity Vulnerability detected by WhiteSource

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-12023 High Severity Vulnerability detected by WhiteSource

CVE-2018-12023 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

jackson-databind has a potential remote code execution (RCE) vulnerability. in versions 2.7.9.x. 2.8.x < 2.8.11.2. and version 2.9.4--2.9.5.

Publish Date: 2018-12-13

URL: CVE-2018-12023

CVSS 2 Score Details (7.6)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@7487cf7

Release Date: 2018-06-01

Fix Resolution: Replace or update the following file: SubTypeValidator.java

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14718 High Severity Vulnerability detected by WhiteSource

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 8.1) Vulnerability due to usage of org.apache.tomcat.embed:tomcat-embed-core:8.5.37

Vulnerabilities

DepShield reports that this application's usage of org.apache.tomcat.embed:tomcat-embed-core:8.5.37 results in the following vulnerability(s):

Occurrences

org.apache.tomcat.embed:tomcat-embed-core:8.5.37 is a transitive dependency introduced by the following direct dependency(s):

org.springframework.boot:spring-boot-starter-web:1.5.19.RELEASE
        └─ org.springframework.boot:spring-boot-starter-tomcat:1.5.19.RELEASE
              └─ org.apache.tomcat.embed:tomcat-embed-core:8.5.37

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.9.8

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.8 results in the following vulnerability(s):

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.8 is a transitive dependency introduced by the following direct dependency(s):

com.fasterxml.jackson.core:jackson-databind:2.9.8

com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc16-SNAPSHOT
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.8

com.deere.isg.work-tracker:work-tracker-servlet:1.0.0-rc16-SNAPSHOT
        └─ com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc16-SNAPSHOT
              └─ com.fasterxml.jackson.core:jackson-databind:2.9.8

com.fasterxml.jackson.core:jackson-databind:2.9.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-19361 High Severity Vulnerability detected by WhiteSource

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2019-12814 (Medium) detected in jackson-databind-2.9.9.jar

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2341

Release Date: 2019-06-19

Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.10.0

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.10.0 results in the following vulnerability(s):

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.10.0 is a transitive dependency introduced by the following direct dependency(s):

com.fasterxml.jackson.core:jackson-databind:2.10.0

com.deere.isg.work-tracker:work-tracker-core:1.1.2
        └─ com.fasterxml.jackson.core:jackson-databind:2.10.0

com.deere.isg.work-tracker:work-tracker-servlet:1.1.2
        └─ com.deere.isg.work-tracker:work-tracker-core:1.1.2
              └─ com.fasterxml.jackson.core:jackson-databind:2.10.0

com.fasterxml.jackson.core:jackson-databind:2.10.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of org.springframework:spring-webmvc:4.2.2.RELEASE

Vulnerabilities

DepShield reports that this application's usage of org.springframework:spring-webmvc:4.2.2.RELEASE results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-19360 High Severity Vulnerability detected by WhiteSource

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14719 High Severity Vulnerability detected by WhiteSource

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

CVE-2017-5929 High Severity Vulnerability detected by WhiteSource

CVE-2017-5929 - High Severity Vulnerability

Vulnerable Library - logback-classic-1.1.11.jar

logback-classic module

path: /root/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar

Library home page: http://logback.qos.ch/logback-classic

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.15.RELEASE.jar
      • spring-boot-starter-logging-1.5.15.RELEASE.jar
        • logback-classic-1.1.11.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: victims/victims-cve-db@94745e0

Release Date: 2017-03-15

Fix Resolution: Replace or update the following file: 5929.yaml

Step up your Open Source Security Game with WhiteSource here

CVE-2017-17485 High Severity Vulnerability detected by WhiteSource

CVE-2017-17485 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@2235894

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: SubTypeValidator.java, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

CVE-2018-12022 High Severity Vulnerability detected by WhiteSource

CVE-2018-12022 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.1.jar

General data-binding functionality for Jackson: works on core streaming API

path: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • jackson-databind-2.8.11.1.jar (Vulnerable Library)

Found in HEAD commit: febe30919c306c0190cbff1a9814975949559fd1

Vulnerability Details

jackson-databind has a potential remote code execution (RCE) vulnerability in versions < 2.7.9.4.
2.8.x < 2.8.11.2. 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-12022

CVSS 2 Score Details (7.6)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@28badf7

Release Date: 2018-06-08

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Step up your Open Source Security Game with WhiteSource here

CVE-2019-12086 (High) detected in jackson-databind-2.9.8.jar

CVE-2019-12086 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /work-tracker/work-tracker-servlet/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

  • jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 598e8b97e048d427d79fc212d469bcbed6fee8d6

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 High Severity Vulnerability detected by WhiteSource

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

CVE-2019-14439 (High) detected in jackson-databind-2.9.9.jar

CVE-2019-14439 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Step up your Open Source Security Game with WhiteSource here

CVE-2017-15095 High Severity Vulnerability detected by WhiteSource

CVE-2017-15095 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1039769

Fix Resolution: The vendor issued a fix (2.8.11.1, 2.9.4).

The vendor advisories are available at:

FasterXML/jackson-databind#1680
FasterXML/jackson-databind#1723
FasterXML/jackson-databind#1737
FasterXML/jackson-databind#1855
FasterXML/jackson-databind#1899

Step up your Open Source Security Game with WhiteSource here

CVE-2019-16942 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16942 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0.pr1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11307 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-11307 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.1.jar

General data-binding functionality for Jackson: works on core streaming API

path: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.1/jackson-databind-2.8.11.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • jackson-databind-2.8.11.1.jar (Vulnerable Library)

Found in HEAD commit: febe30919c306c0190cbff1a9814975949559fd1

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@27b4def

Release Date: 2018-05-11

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Step up your Open Source Security Game with WhiteSource here

HttpServlet does not have logStart for Spring

This would require a bit of research in how to make the servlet aware of HandlerInterceptors or use inheritance in the filters. Currently for /lbClassicStatus and for /health/outstanding there's no logStart.

CVE-2018-14719 High Severity Vulnerability detected by WhiteSource

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

CVE-2018-5968 High Severity Vulnerability detected by WhiteSource

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@038b471

Release Date: 2018-01-22

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of org.springframework:spring-core:4.2.2.RELEASE

Vulnerabilities

DepShield reports that this application's usage of org.springframework:spring-core:4.2.2.RELEASE results in the following vulnerability(s):

Occurrences

org.springframework:spring-core:4.2.2.RELEASE is a transitive dependency introduced by the following direct dependency(s):

org.springframework:spring-webmvc:4.2.2.RELEASE
        └─ org.springframework:spring-core:4.2.2.RELEASE

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-7489 High Severity Vulnerability detected by WhiteSource

CVE-2018-7489 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041890

Fix Resolution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2018.

The vendor advisory is available at:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Step up your Open Source Security Game with WhiteSource here

CVE-2019-12384 (Medium) detected in jackson-databind-2.9.9.jar

CVE-2019-12384 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-08-12

Fix Resolution: 2.9.9.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-14379 (High) detected in jackson-databind-2.9.9.jar

CVE-2019-14379 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: ee09ad5daa93d8e93458d6f0dbde92105d4c9a6c

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14718 High Severity Vulnerability detected by WhiteSource

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: b1dd7916f7236e7d66634e102af46dd4e8df423c

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): update dependency org.jacoco:jacoco-maven-plugin to v0.8.10
  • chore(deps): update dependency com.puppycrawl.tools:checkstyle to v10.12.0
  • chore(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.3.0
  • chore(deps): update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.1.0
  • chore(deps): update dependency org.apache.maven.plugins:maven-plugin-plugin to v3.9.0
  • chore(deps): update dependency org.apache.maven.plugins:maven-source-plugin to v3.3.0
  • fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.15.2
  • 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/codeql.yml
  • actions/checkout v3
  • github/codeql-action v2
  • github/codeql-action v2
  • github/codeql-action v2
.github/workflows/maven.yml
  • actions/checkout v3
  • actions/setup-java v3
maven
pom.xml
  • org.apache.maven.plugins:maven-gpg-plugin 3.0.1
  • org.mockito:mockito-core 2.28.2
  • junit:junit 4.13.2
  • org.assertj:assertj-core 3.24.2
  • org.apache.maven.plugins:maven-plugin-plugin 3.8.1
  • org.apache.maven.plugins:maven-source-plugin 3.2.1
  • org.apache.maven.plugins:maven-jar-plugin 3.3.0
  • org.sonatype.plugins:nexus-staging-maven-plugin 1.6.13
  • org.codehaus.groovy.maven:gmaven-plugin 1.0
  • com.mycila.maven-license-plugin:maven-license-plugin 1.9.0
  • org.apache.maven.plugins:maven-compiler-plugin 3.11.0
  • org.apache.maven.plugins:maven-javadoc-plugin 3.5.0
  • org.apache.maven.plugins:maven-release-plugin 2.5.3
  • org.apache.maven.plugins:maven-deploy-plugin 3.1.0
  • org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1
  • com.puppycrawl.tools:checkstyle 10.9.3
  • org.jacoco:jacoco-maven-plugin 0.8.8
  • org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1
  • com.deere.isg:clock 3.1.0
  • org.slf4j:slf4j-api 1.7.25
  • net.logstash.logback:logstash-logback-encoder 7.3
  • com.fasterxml.jackson.core:jackson-databind 2.14.2
  • ch.qos.logback:logback-core 1.2.3
  • ch.qos.logback:logback-classic 1.2.3
  • javax.servlet:javax.servlet-api 4.0.1
  • javax.servlet:javax.servlet-api 4.0.1
  • org.springframework.boot:spring-boot-starter-web 1.5.22.RELEASE
  • com.fasterxml.jackson.core:jackson-databind 2.14.2
  • org.codehaus.groovy:groovy-all 2.4.8
  • org.springframework.boot:spring-boot-starter-test 1.5.22.RELEASE
  • org.springframework:spring-webmvc 4.3.30.RELEASE
  • javax.servlet:javax.servlet-api 4.0.1
  • org.codehaus.groovy:groovy-all 2.4.8
  • org.springframework:spring-test 4.3.30.RELEASE
work-tracker-core/pom.xml
  • com.deere.isg:outstanding 1.2.0
  • javax.annotation:javax.annotation-api 1.3.2
  • org.lucee:oswego-concurrent 1.3.4
work-tracker-servlet/pom.xml
  • org.lucee:oswego-concurrent 1.3.4
  • javax.annotation:javax.annotation-api 1.3.2
work-tracker-spring-boot/pom.xml
  • org.springframework.boot:spring-boot-maven-plugin 1.5.22.RELEASE
  • org.apache.maven.plugins:maven-jar-plugin 3.3.0
work-tracker-spring/pom.xml
  • org.apache.maven.plugins:maven-jar-plugin 3.3.0
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2020-25649 (High) detected in jackson-databind-2.10.0.jar - autoclosed

CVE-2020-25649 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: work-tracker/work-tracker-servlet/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,pository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,pository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar

Dependency Hierarchy:

  • jackson-databind-2.10.0.jar (Vulnerable Library)

Found in HEAD commit: 32c09f1d1008114cfae0c04be389d731f04eae6a

Found in base branch: master

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2589

Release Date: 2020-12-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-17531 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-17531 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Step up your Open Source Security Game with WhiteSource here

CVE-2019-14540 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-14540 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/work-tracker/work-tracker-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.9.3/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: c361929568da11fc82656a3df47be291160d34ba

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14721 High Severity Vulnerability detected by WhiteSource

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: ce7bfe45618f12413313c4cdaaaa5c63b857642d

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af?diff=unified#diff-98084d808198119d550a9211e128a16f

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 High Severity Vulnerability detected by WhiteSource

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.9.jar, jackson-databind-2.8.11.2.jar

jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • logstash-logback-encoder-4.11.jar (Root Library)
    • jackson-databind-2.8.9.jar (Vulnerable Library)
jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.15.RELEASE.jar (Root Library)
    • jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: ac4296095a00cf64f2cebb3c574b7ded6616abd8

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 9.8) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.9.9

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.9 results in the following vulnerability(s):

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.9 is a transitive dependency introduced by the following direct dependency(s):

com.fasterxml.jackson.core:jackson-databind:2.9.9

com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc17
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.9

com.deere.isg.work-tracker:work-tracker-servlet:1.0.0-rc17
        └─ com.deere.isg.work-tracker:work-tracker-core:1.0.0-rc17
              └─ com.fasterxml.jackson.core:jackson-databind:2.9.9

com.fasterxml.jackson.core:jackson-databind:2.9.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.