mvalle21 / demo-java-telnyx Goto Github PK
View Code? Open in Web Editor NEWThis project forked from team-telnyx/demo-java-telnyx
Playground for java code
This project forked from team-telnyx/demo-java-telnyx
Playground for java code
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Publish Date: 2021-02-26
URL: CVE-2020-27223
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m394-8rww-3jr7
Release Date: 2021-02-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.37.v20210219
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36180
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
Spring Data REST - WebMVC
Library home page: https://www.spring.io/spring-data
Path to dependency file: /spring-messaging-auto-response/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.3.5.RELEASE/spring-data-rest-webmvc-3.3.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.3.5.RELEASE/spring-data-rest-webmvc-3.3.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.3.5.RELEASE/spring-data-rest-webmvc-3.3.5.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.
Publish Date: 2021-10-28
URL: CVE-2021-22047
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22047
Release Date: 2021-10-28
Fix Resolution (org.springframework.data:spring-data-rest-webmvc): 3.4.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-rest): 2.4.12
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Publish Date: 2020-06-14
URL: CVE-2020-14062
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062
Release Date: 2020-06-14
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
Release Date: 2020-03-02
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /spring-messaging-auto-response/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution (org.springframework:spring-web): 5.2.23.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
Publish Date: 2020-03-26
URL: CVE-2020-10969
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969
Release Date: 2020-03-26
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Publish Date: 2020-06-14
URL: CVE-2020-14060
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060
Release Date: 2020-06-14
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36189
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Publish Date: 2020-12-27
URL: CVE-2020-35728
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35728
Release Date: 2020-12-27
Fix Resolution: 2.9.10.8
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36179
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
Publish Date: 2020-03-18
URL: CVE-2020-10673
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Publish Date: 2021-01-19
URL: CVE-2021-20190
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Publish Date: 2020-04-07
URL: CVE-2020-11620
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620
Release Date: 2020-04-07
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: 2.9.10.1
⛑️ Automatic Remediation will be attempted for this issue.
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.18.v20190429/jetty-server-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Publish Date: 2021-06-22
URL: CVE-2021-34428
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m6cp-vxjx-65j6
Release Date: 2021-06-22
Fix Resolution (org.eclipse.jetty:jetty-server): 9.4.41.v20210516
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution (org.eclipse.jetty:jetty-io): 9.4.39.v20210325
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
Publish Date: 2020-06-16
URL: CVE-2020-14195
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195
Release Date: 2020-06-16
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Publish Date: 2020-04-07
URL: CVE-2020-11619
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619
Release Date: 2020-04-07
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36182
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36185
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36188
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: 2.9.10.2
⛑️ Automatic Remediation will be attempted for this issue.
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /spring-messaging-auto-response/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Publish Date: 2021-05-27
URL: CVE-2021-22118
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22118
Release Date: 2021-05-27
Fix Resolution (org.springframework:spring-web): 5.2.15.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.11.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Jetty web application support
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Publish Date: 2020-10-23
URL: CVE-2020-27216
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
Release Date: 2020-10-23
Fix Resolution (org.eclipse.jetty:jetty-webapp): 9.4.33.v20201020
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.18.v20190429/jetty-server-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Publish Date: 2020-11-28
URL: CVE-2020-27218
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-86wm-rrjm-8wh8
Release Date: 2020-11-28
Fix Resolution (org.eclipse.jetty:jetty-server): 9.4.35.v20201120
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Publish Date: 2020-06-14
URL: CVE-2020-14061
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061
Release Date: 2020-06-14
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Publish Date: 2020-03-31
URL: CVE-2020-11111
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Publish Date: 2021-01-07
URL: CVE-2020-36183
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /console-messaging-demo/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.4/jackson-databind-2.10.4.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-12-03
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.10.5.1
Direct dependency fix Resolution (com.telnyx.sdk:telnyx): 3.5.0
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36184
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
Publish Date: 2020-12-17
URL: CVE-2020-35490
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /spring-masked-calling/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.2.10.RELEASE/spring-webmvc-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.2.10.RELEASE/spring-webmvc-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.2.10.RELEASE/spring-webmvc-5.2.10.RELEASE.jar
Dependency Hierarchy:
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /spring-messaging-auto-response/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.10.RELEASE/spring-web-5.2.10.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-webmvc): 5.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0
Fix Resolution (org.springframework:spring-web): 5.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Publish Date: 2020-03-31
URL: CVE-2020-11112
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-06
URL: CVE-2020-36181
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
Publish Date: 2020-09-17
URL: CVE-2020-24750
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616
Release Date: 2020-09-17
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
Publish Date: 2020-03-26
URL: CVE-2020-10968
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968
Release Date: 2020-03-26
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Publish Date: 2020-03-31
URL: CVE-2020-11113
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Publish Date: 2020-08-25
URL: CVE-2020-24616
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616
Release Date: 2020-08-25
Fix Resolution: 2.9.10.5
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36187
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
Publish Date: 2020-12-17
URL: CVE-2020-35491
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.18.v20190429/jetty-server-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
Fix Resolution (org.eclipse.jetty:jetty-server): 9.4.41.v20210516
Direct dependency fix Resolution (com.sparkjava:spark-core): 2.9.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.9.10.1
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36186
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: 2.9.10.1
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Publish Date: 2020-03-18
URL: CVE-2020-10672
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10672
Release Date: 2020-03-18
Fix Resolution: 2.9.10.4
⛑️ Automatic Remediation will be attempted for this issue.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /sparkjava-demo-enterprise-integration/pom.xml
Path to vulnerable library: /canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10/jackson-databind-2.9.10.jar
Dependency Hierarchy:
Found in HEAD commit: 001047fe5029501da9e5e4a7d0f66ec13dba3885
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.