vlaship / spark-streaming Goto Github PK

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - commons-httpclient-3.1.jar

A library of components for building client-side HTTP services.

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar,/root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ commons-httpclient-3.1.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783

Release Date: 2012-11-04

Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-06-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - hadoop-mapreduce-client-core-2.6.5.jar

Apache Hadoop Project POM

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.6.5/38383ecce4016373f75c957f6af969820d3d303f/hadoop-mapreduce-client-core-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.6.5/38383ecce4016373f75c957f6af969820d3d303f/hadoop-mapreduce-client-core-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-mapreduce-client-core-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Publish Date: 2017-11-13

URL: CVE-2017-3166

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166

Release Date: 2017-11-08

Fix Resolution (org.apache.hadoop:hadoop-mapreduce-client-core): 2.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

Publish Date: 2018-01-19

URL: CVE-2017-15713

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E

Release Date: 2018-01-19

Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - spark-core_2.11-2.2.0.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

Publish Date: 2018-11-19

URL: CVE-2018-17190

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17190

Release Date: 2018-11-19

Fix Resolution (org.apache.spark:spark-core_2.11): 2.4.5

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to dependency file: /tmp/ws-scm/spark-streaming/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar,/root/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ commons-httpclient-3.1.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Publish Date: 2014-09-04

URL: CVE-2012-6153

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153

Release Date: 2014-09-04

Fix Resolution: 4.2.3

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - xercesImpl-2.9.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-hdfs-2.6.5.jar
        • ❌ xercesImpl-2.9.1.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625

Release Date: 2009-08-06

Fix Resolution: xerces:xercesImpl:2.12.0

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - zookeeper-3.4.6.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ zookeeper-3.4.6.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Publish Date: 2017-10-10

URL: CVE-2017-5637

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637

Release Date: 2017-10-09

Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.10

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - zookeeper-3.4.6.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ zookeeper-3.4.6.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.14

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - xercesImpl-2.9.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-hdfs-2.6.5.jar
        • ❌ xercesImpl-2.9.1.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

Release Date: 2013-07-23

Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Libraries - jackson-databind-2.6.5.jar, jackson-mapper-asl-1.9.13.jar

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-06-24

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - spark-core_2.11-2.2.0.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Publish Date: 2018-07-12

URL: CVE-2018-1334

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-11

Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.2

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - netty-all-4.0.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jar,/root/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ netty-all-4.0.43.Final.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Publish Date: 2019-09-26

URL: CVE-2019-16869

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869

Release Date: 2019-09-26

Fix Resolution (io.netty:netty-all): 4.1.42.Final

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - httpclient-4.3.6.jar

HttpComponents Client

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.6/4c47155e3e6c9a41a28db36680b828ced53b8af4/httpclient-4.3.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.6/4c47155e3e6c9a41a28db36680b828ced53b8af4/httpclient-4.3.6.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • hadoop-auth-2.6.5.jar
          • ❌ httpclient-4.3.6.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2017-01-21

URL: WS-2017-3734

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2017-01-21

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525

Release Date: 2017-04-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.1

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - xercesImpl-2.9.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar,/root/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-hdfs-2.6.5.jar
        • ❌ xercesImpl-2.9.1.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution: xerces:xercesImpl:2.12.0

Vulnerable Library - spark-core_2.11-2.2.0.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.

Publish Date: 2018-08-13

URL: CVE-2018-11770

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11770

Release Date: 2018-08-13

Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.6.5/775c6ba9b08cf8ec42e27ea0730b69cc990c69ea/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

Publish Date: 2018-11-13

URL: CVE-2018-8009

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1593018

Release Date: 2018-11-13

Fix Resolution (org.apache.hadoop:hadoop-common): 2.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - spark-core_2.11-2.2.0.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.11/2.2.0/f1e6dbc3b085eb4f889b903f452afcfc43aa08c6/spark-core_2.11-2.2.0.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • ❌ spark-core_2.11-2.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.

Publish Date: 2018-07-12

URL: CVE-2018-8024

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8024

Release Date: 2018-07-11

Fix Resolution (org.apache.spark:spark-core_2.11): 2.2.2

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

Release Date: 2018-01-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - zookeeper-3.4.6.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ zookeeper-3.4.6.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Publish Date: 2018-05-21

URL: CVE-2018-8012

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Release Date: 2018-05-21

Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.10

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1

Vulnerable Library - jackson-databind-2.6.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.6.5/d50be1723a09befd903887099ff2014ea9020333/jackson-databind-2.6.5.jar

Dependency Hierarchy:

• spark-streaming_2.11-2.2.0.jar (Root Library)
  • spark-core_2.11-2.2.0.jar
    • ❌ jackson-databind-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: 8193fe8b5a8089e67347f5851a02c41ea5056fb0

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2017-06-27

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.2

Direct dependency fix Resolution (org.apache.spark:spark-streaming_2.11): 2.2.1