spark-streaming's People
spark-streaming's Issues
CVE-2018-12023 (High) detected in jackson-databind-2.6.5.jar
CVE-2018-12023 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12023
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-17
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-7489 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-7489 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Publish Date: 2018-02-26
URL: CVE-2018-7489
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489
Release Date: 2018-02-26
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2012-5783 (Medium) detected in commons-httpclient-3.1.jar
CVE-2012-5783 - Medium Severity Vulnerability
Vulnerable Library - commons-httpclient-3.1.jar
A library of components for building client-side HTTP services.
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar,/root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
Step up your Open Source Security Game with Mend here
CVE-2019-16943 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-16943 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-12814 (Medium) detected in jackson-databind-2.6.5.jar
CVE-2019-12814 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-06-19
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-19361 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-19361 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-3166 (High) detected in hadoop-mapreduce-client-core-2.6.5.jar
CVE-2017-3166 - High Severity Vulnerability
Vulnerable Library - hadoop-mapreduce-client-core-2.6.5.jar
Apache Hadoop Project POM
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.6.5/38383ecce4016373f75c957f6af969820d3d303f/hadoop-mapreduce-client-core-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.6.5/38383ecce4016373f75c957f6af969820d3d303f/hadoop-mapreduce-client-core-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- ❌ hadoop-mapreduce-client-core-2.6.5.jar (Vulnerable Library)
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
Publish Date: 2017-11-13
URL: CVE-2017-3166
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166
Release Date: 2017-11-08
Fix Resolution (org.apache.hadoop:hadoop-mapreduce-client-core): 2.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-16335 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-16335 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-15713 (Medium) detected in hadoop-common-2.6.5.jar
CVE-2017-15713 - Medium Severity Vulnerability
Vulnerable Library - hadoop-common-2.6.5.jar
Apache Hadoop Common
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- ❌ hadoop-common-2.6.5.jar (Vulnerable Library)
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
Publish Date: 2018-01-19
URL: CVE-2017-15713
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-01-19
Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-19362 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-19362 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-17190 (Critical) detected in spark-core_2.11-2.2.0.jar
CVE-2018-17190 - Critical Severity Vulnerability
Vulnerable Library - spark-core_2.11-2.2.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Publish Date: 2018-11-19
URL: CVE-2018-17190
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17190
Release Date: 2018-11-19
Fix Resolution (org.apache.spark:spark-core_2.11): 2.4.5
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-9548 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2020-9548 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-19360 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-19360 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-5968 (High) detected in jackson-databind-2.6.5.jar
CVE-2018-5968 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2012-6153 (Medium) detected in commons-httpclient-3.1.jar - autoclosed
CVE-2012-6153 - Medium Severity Vulnerability
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /tmp/ws-scm/spark-streaming/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar,/root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Publish Date: 2014-09-04
URL: CVE-2012-6153
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153
Release Date: 2014-09-04
Fix Resolution: 4.2.3
Step up your Open Source Security Game with WhiteSource here
CVE-2019-17531 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-17531 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-16942 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-16942 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2009-2625 (Medium) detected in xercesImpl-2.9.1.jar
CVE-2009-2625 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.9.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-hdfs-2.6.5.jar
- ❌ xercesImpl-2.9.1.jar (Vulnerable Library)
- hadoop-hdfs-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: xerces:xercesImpl:2.12.0
Step up your Open Source Security Game with Mend here
CVE-2020-9546 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2020-9546 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-9547 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2020-9547 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-5637 (High) detected in zookeeper-3.4.6.jar
CVE-2017-5637 - High Severity Vulnerability
Vulnerable Library - zookeeper-3.4.6.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- ❌ zookeeper-3.4.6.jar (Vulnerable Library)
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Publish Date: 2017-10-10
URL: CVE-2017-5637
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637
Release Date: 2017-10-09
Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.10
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-14720 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-14720 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-0201 (Medium) detected in zookeeper-3.4.6.jar
CVE-2019-0201 - Medium Severity Vulnerability
Vulnerable Library - zookeeper-3.4.6.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- ❌ zookeeper-3.4.6.jar (Vulnerable Library)
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Publish Date: 2019-05-23
URL: CVE-2019-0201
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://zookeeper.apache.org/security.html
Release Date: 2019-05-23
Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.14
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2013-4002 (Medium) detected in xercesImpl-2.9.1.jar
CVE-2013-4002 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.9.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-hdfs-2.6.5.jar
- ❌ xercesImpl-2.9.1.jar (Vulnerable Library)
- hadoop-hdfs-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Step up your Open Source Security Game with Mend here
CVE-2018-14718 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-14718 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-14439 (High) detected in jackson-databind-2.6.5.jar
CVE-2019-14439 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-10202 (Critical) detected in jackson-databind-2.6.5.jar, jackson-mapper-asl-1.9.13.jar
CVE-2019-10202 - Critical Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.6.5.jar, jackson-mapper-asl-1.9.13.jar
jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
jackson-mapper-asl-1.9.13.jar
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar,/root/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- avro-mapred-1.7.7.jar
- ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)
- avro-mapred-1.7.7.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-20330 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-20330 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-03
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-12384 (Medium) detected in jackson-databind-2.6.5.jar
CVE-2019-12384 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Publish Date: 2019-06-24
URL: CVE-2019-12384
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
Release Date: 2019-06-24
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-1334 (Medium) detected in spark-core_2.11-2.2.0.jar
CVE-2018-1334 - Medium Severity Vulnerability
Vulnerable Library - spark-core_2.11-2.2.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
Publish Date: 2018-07-12
URL: CVE-2018-1334
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-11
Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.2
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-11307 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-11307 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-09
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-14719 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-14719 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-16869 (High) detected in netty-all-4.0.43.Final.jar
CVE-2019-16869 - High Severity Vulnerability
Vulnerable Library - netty-all-4.0.43.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jar,/root/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ netty-all-4.0.43.Final.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution (io.netty:netty-all): 4.1.42.Final
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-14892 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-14892 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14892
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-14540 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-14540 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-14893 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-14893 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
or when @JsonTypeInfo is using Id.CLASS
or Id.MINIMAL_CLASS
or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14893
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
WS-2017-3734 (Medium) detected in httpclient-4.3.6.jar
WS-2017-3734 - Medium Severity Vulnerability
Vulnerable Library - httpclient-4.3.6.jar
HttpComponents Client
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.6/4c47155e3e6c9a41a28db36680b828ced53b8af4/httpclient-4.3.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.6/4c47155e3e6c9a41a28db36680b828ced53b8af4/httpclient-4.3.6.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- hadoop-auth-2.6.5.jar
- ❌ httpclient-4.3.6.jar (Vulnerable Library)
- hadoop-auth-2.6.5.jar
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.
Publish Date: 2017-01-21
URL: WS-2017-3734
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Release Date: 2017-01-21
Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-7525 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2017-7525 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Publish Date: 2018-02-06
URL: CVE-2017-7525
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
Release Date: 2017-04-11
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.1
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2012-0881 (High) detected in xercesImpl-2.9.1.jar
CVE-2012-0881 - High Severity Vulnerability
Vulnerable Library - xercesImpl-2.9.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-hdfs-2.6.5.jar
- ❌ xercesImpl-2.9.1.jar (Vulnerable Library)
- hadoop-hdfs-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
Step up your Open Source Security Game with Mend here
CVE-2018-11770 (Medium) detected in spark-core_2.11-2.2.0.jar
CVE-2018-11770 - Medium Severity Vulnerability
Vulnerable Library - spark-core_2.11-2.2.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
Publish Date: 2018-08-13
URL: CVE-2018-11770
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11770
Release Date: 2018-08-13
Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-14721 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2018-14721 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-12022 (High) detected in jackson-databind-2.6.5.jar
CVE-2018-12022 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12022
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-17
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-8009 (High) detected in hadoop-common-2.6.5.jar
CVE-2018-8009 - High Severity Vulnerability
Vulnerable Library - hadoop-common-2.6.5.jar
Apache Hadoop Common
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- ❌ hadoop-common-2.6.5.jar (Vulnerable Library)
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Publish Date: 2018-11-13
URL: CVE-2018-8009
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1593018
Release Date: 2018-11-13
Fix Resolution (org.apache.hadoop:hadoop-common): 2.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-17267 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-17267 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-8024 (Medium) detected in spark-core_2.11-2.2.0.jar
CVE-2018-8024 - Medium Severity Vulnerability
Vulnerable Library - spark-core_2.11-2.2.0.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
Publish Date: 2018-07-12
URL: CVE-2018-8024
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8024
Release Date: 2018-07-11
Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.2
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-17485 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2017-17485 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Publish Date: 2018-01-10
URL: CVE-2017-17485
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
Release Date: 2018-01-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2018-8012 (High) detected in zookeeper-3.4.6.jar
CVE-2018-8012 - High Severity Vulnerability
Vulnerable Library - zookeeper-3.4.6.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- hadoop-client-2.6.5.jar
- hadoop-common-2.6.5.jar
- ❌ zookeeper-3.4.6.jar (Vulnerable Library)
- hadoop-common-2.6.5.jar
- hadoop-client-2.6.5.jar
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Publish Date: 2018-05-21
URL: CVE-2018-8012
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012
Release Date: 2018-05-21
Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.10
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-14379 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2019-14379 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2019-12086 (High) detected in jackson-databind-2.6.5.jar
CVE-2019-12086 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2017-15095 (Critical) detected in jackson-databind-2.6.5.jar
CVE-2017-15095 - Critical Severity Vulnerability
Vulnerable Library - jackson-databind-2.6.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar
Dependency Hierarchy:
- spark-streaming_2.11-2.2.0.jar (Root Library)
- spark-core_2.11-2.2.0.jar
- ❌ jackson-databind-2.6.5.jar (Vulnerable Library)
- spark-core_2.11-2.2.0.jar
Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2017-06-27
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.2
Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.