Giter Site home page Giter Site logo

async's Introduction

about me

package main

import "fmt"

func main() {
	username := "vlaship"
	position := "Senior Software Engineer"
	linkedIn := "https://www.linkedin.com/in/shipovalov/"

	summary := `
	I am a hard worker who enjoys tackling complex problems. I spent the past years in an Agile development
process using Scrum and Kanban, pushing our releases through CI/CD using Jenkins, Gitlab, and GitHub Actions
as part of a DevOps process. I am very autonomous, capable of solving complex problems, and consistently delivering
on-time results. I am highly skilled in Java, Kotlin, Spring Framework, Hibernate, SQL, and NoSQL databases,
BigData technologies, DevOps tools, etc. I have had experience managing a small team of developers during
a 3-month delivery effort and would like to do more of that. I have also helped evaluate new developers
and SRE candidates during interviews.

	I am looking for an opportunity to work with a small team of dynamic developers
where I can learn and grow. I am particularly interested in improving my management and leadership skills.
I am open to new languages, technologies, and practices.
	`

	skills := map[string][]string{
		"languages": {
			"Java", "Kotlin", "Golang", "JavaScript", "Rust", "C", "C++", "C#", "SQL", "Bash",
		},
		"queues": {
			"Apache ActiveMQ", "RabbitMQ", "Apache Kafka", "IBM MQ",
		},
		"databases": {
			"PostgreSQL", "MySQL", "SQLServer", "MongoDB", "Redis", "IBM BD2",
		},
		"db_migrations": {
			"Flyway", "Liquibase", "Goose",
		},
		"frameworks": {
			"Spring Framework", "Spring Boot", "Spring Cloud", "Spring Data", "Spring Security",
			"Spring Web", "Apache Camel", "JPA", "Hibernate", "QueryDSL", "MyBatis",
		},
		"cloud": {
			"AWS", "Azure",
		},
		"data": {
			"Azure Databricks", "Apache Spark", "Apache Storm",
		},
		"devops": {
			"Jenkins", "Gitlab", "GitHub Actions", "Docker", "Kubernetes", "Apache Maven", "Gradle",
			"BitBucket Pipelines", "SonarQube", "Nexus",
		},
		"testing": {
			"JUnit", "Mockito", "TestNG", "Jacoco", "Testify",
		},
		"bpmn": {
			"Camunda",
		},
		"protocols": {
			"HTTP", "REST", "GraphQL", "SOAP", "gRPC", "WebSockets", "AMQP", "JMS", "RSocket",
		},
		"UI": {
			"React", "JSP", "Thymeleaf",
		},
	}

	fmt.Println("Username: ", username)
	fmt.Println("Position: ", position)
	fmt.Println("LinkedIn: ", linkedIn)
	fmt.Println("Summary: ", summary)
	fmt.Println("Skills:")
	for key, value := range skills {
		fmt.Printf("%s:\n", key)
		for _, v := range value {
			fmt.Printf("\t%s\n", v)
		}
	}
}

metrics

Metrics

me

GitHub LinkedIn Mastodon DEV.TO LeetCode

async's People

Contributors

vlaship avatar

Watchers

avatar avatar

async's Issues

CVE-2020-24616 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-24616 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Publish Date: 2020-08-25

URL: CVE-2020-24616

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616

Release Date: 2020-08-25

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-10219 (Medium) detected in hibernate-validator-6.0.17.Final.jar

CVE-2019-10219 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-6.0.17.Final.jar

Hibernate's Bean Validation (JSR-380) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.hibernate.validator/hibernate-validator/6.0.17.Final/af73055fc4a103ab347c56e7da5a143d68a0170/hibernate-validator-6.0.17.Final.jar,/root/.gradle/caches/modules-2/files-2.1/org.hibernate.validator/hibernate-validator/6.0.17.Final/af73055fc4a103ab347c56e7da5a143d68a0170/hibernate-validator-6.0.17.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • hibernate-validator-6.0.17.Final.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Publish Date: 2019-11-08

URL: CVE-2019-10219

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10219

Release Date: 2019-11-08

Fix Resolution (org.hibernate.validator:hibernate-validator): 6.0.18.Final

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2021-25329 (High) detected in tomcat-embed-core-9.0.26.jar

CVE-2021-25329 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.26.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-2.1.9.RELEASE.jar
      • tomcat-embed-core-9.0.26.jar (Vulnerable Library)

Vulnerability Details

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Publish Date: 2021-03-01

URL: CVE-2021-25329

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-03-01

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.43

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.9.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-5398 (High) detected in spring-web-5.1.10.RELEASE.jar

CVE-2020-5398 - High Severity Vulnerability

Vulnerable Library - spring-web-5.1.10.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.10.RELEASE/f769e9287286f80f6b1d943cc27194ec33d2041c/spring-web-5.1.10.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.10.RELEASE/f769e9287286f80f6b1d943cc27194ec33d2041c/spring-web-5.1.10.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-web-5.1.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Publish Date: 2020-01-17

URL: CVE-2020-5398

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2020-5398

Release Date: 2020-01-17

Fix Resolution (org.springframework:spring-web): 5.1.13.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.12.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2017-18640 (High) detected in snakeyaml-1.23.jar

CVE-2017-18640 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/ws-ua/downloadResource_838cf389-c84b-4d10-aeb9-d1a45e705c41/20200307204515/snakeyaml-1.23.jar,/tmp/ws-ua/downloadResource_838cf389-c84b-4d10-aeb9-d1a45e705c41/20200307204515/snakeyaml-1.23.jar

Dependency Hierarchy:

  • spring-boot-starter-2.1.9.RELEASE.jar (Root Library)
    • snakeyaml-1.23.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.3.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36183 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36183 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: 2021-01-07

URL: CVE-2020-36183

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-25649 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-25649 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36185 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36185 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36185

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-35491 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-35491 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2020-12-17

URL: CVE-2020-35491

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36188 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36188 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36188

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-10969 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-10969 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Publish Date: 2020-03-26

URL: CVE-2020-10969

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969

Release Date: 2020-03-26

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36182 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36182 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36182

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-14060 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-14060 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Publish Date: 2020-06-14

URL: CVE-2020-14060

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060

Release Date: 2020-06-14

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-17267 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-17267 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-24750 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-24750 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Publish Date: 2020-09-17

URL: CVE-2020-24750

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616

Release Date: 2020-09-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11111 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-11111 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Publish Date: 2020-03-31

URL: CVE-2020-11111

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16943 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16943 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-9546 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-9546 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16942 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16942 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11112 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-11112 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Publish Date: 2020-03-31

URL: CVE-2020-11112

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36187 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36187 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36187

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11619 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-11619 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: 2020-04-07

URL: CVE-2020-11619

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619

Release Date: 2020-04-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-10693 (Medium) detected in hibernate-validator-6.0.17.Final.jar

CVE-2020-10693 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-6.0.17.Final.jar

Hibernate's Bean Validation (JSR-380) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.hibernate.validator/hibernate-validator/6.0.17.Final/af73055fc4a103ab347c56e7da5a143d68a0170/hibernate-validator-6.0.17.Final.jar,/root/.gradle/caches/modules-2/files-2.1/org.hibernate.validator/hibernate-validator/6.0.17.Final/af73055fc4a103ab347c56e7da5a143d68a0170/hibernate-validator-6.0.17.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • hibernate-validator-6.0.17.Final.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/

Release Date: 2020-05-06

Fix Resolution (org.hibernate.validator:hibernate-validator): 6.0.20.Final

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16335 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-16335 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-10968 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-10968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Publish Date: 2020-03-26

URL: CVE-2020-10968

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968

Release Date: 2020-03-26

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36181 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36181 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-20330 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-20330 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.2

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2016-1000027 (High) detected in spring-web-5.1.10.RELEASE.jar

CVE-2016-1000027 - High Severity Vulnerability

Vulnerable Library - spring-web-5.1.10.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.10.RELEASE/f769e9287286f80f6b1d943cc27194ec33d2041c/spring-web-5.1.10.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.10.RELEASE/f769e9287286f80f6b1d943cc27194ec33d2041c/spring-web-5.1.10.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-web-5.1.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-02

Fix Resolution (org.springframework:spring-web): 5.1.16.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-35490 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-35490 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2020-12-17

URL: CVE-2020-35490

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-14062 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-14062 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Publish Date: 2020-06-14

URL: CVE-2020-14062

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062

Release Date: 2020-06-14

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36189 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36189 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36189

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-9484 (High) detected in tomcat-embed-core-9.0.26.jar

CVE-2020-9484 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.26.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-2.1.9.RELEASE.jar
      • tomcat-embed-core-9.0.26.jar (Vulnerable Library)

Vulnerability Details

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Publish Date: 2020-05-20

URL: CVE-2020-9484

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484

Release Date: 2020-05-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.35

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-14892 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-14892 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-04

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-14893 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-14893 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-9548 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-9548 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11113 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-11113 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Publish Date: 2020-03-31

URL: CVE-2020-11113

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-17531 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-17531 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-35728 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-35728 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Publish Date: 2020-12-27

URL: CVE-2020-35728

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35728

Release Date: 2020-12-27

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11620 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-11620 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Publish Date: 2020-04-07

URL: CVE-2020-11620

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620

Release Date: 2020-04-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-8840 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-8840 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36186 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36186 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36186

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-14061 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-14061 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Publish Date: 2020-06-14

URL: CVE-2020-14061

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061

Release Date: 2020-06-14

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36180 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36180 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36180

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36184 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36184 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36184

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-11996 (High) detected in tomcat-embed-core-9.0.26.jar

CVE-2020-11996 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.26.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-2.1.9.RELEASE.jar
      • tomcat-embed-core-9.0.26.jar (Vulnerable Library)

Vulnerability Details

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Publish Date: 2020-06-26

URL: CVE-2020-11996

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E,http://tomcat.apache.org/security-10.html

Release Date: 2020-06-26

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.36

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36179 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-36179 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36179

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-14540 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2019-14540 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.2

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-9547 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2020-9547 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Found in HEAD commit: 5661c5165fa5911175796f458bfc71c615c78ba2

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2021-20190 (High) detected in jackson-databind-2.9.9.3.jar

CVE-2021-20190 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.3/68ddd453458765757fd3ffca9437f9a42d91003e/jackson-databind-2.9.9.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.1.9.RELEASE.jar
      • jackson-databind-2.9.9.3.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Publish Date: 2021-01-19

URL: CVE-2021-20190

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-12418 (High) detected in tomcat-embed-core-9.0.26.jar

CVE-2019-12418 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.26.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.26/6312ba542bc58fa9ee789a43516ce4d862548a6b/tomcat-embed-core-9.0.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.1.9.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-2.1.9.RELEASE.jar
      • tomcat-embed-core-9.0.26.jar (Vulnerable Library)

Vulnerability Details

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Publish Date: 2019-12-23

URL: CVE-2019-12418

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418

Release Date: 2019-12-23

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.29

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.11.RELEASE

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.