Skip to content

legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar: 31 vulnerabilities (highest severity is: 9.8) [master] #38

Open
Open
legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar: 31 vulnerabilities (highest severity is: 9.8) [master]#38
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar

Path to dependency file: /legend-depot-store-status/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/finos/legend/depot/legend-depot-artifacts-refresh/1.7.6-SNAPSHOT/legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar

Partial results (21 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-82529-348347 🟣 Critical 9.8 N/A N/A guava-30.1-jre.jar Direct N/A
CVE-2022-42889 🔴 High 8.9 Proof of concept 94.2% commons-text-1.9.jar Transitive N/A
CVE-2020-36518 🔴 High 8.7 Not Defined < 1% jackson-databind-2.10.5.1.jar Transitive N/A
CVE-2021-28165 🔴 High 8.7 Not Defined 10.2% jetty-io-9.4.35.v20201120.jar Transitive N/A
CVE-2021-46877 🔴 High 8.7 Not Defined < 1% jackson-databind-2.10.5.1.jar Transitive N/A
CVE-2022-25857 🔴 High 8.7 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-42003 🔴 High 8.7 Not Defined < 1% jackson-databind-2.10.5.1.jar Transitive N/A
CVE-2022-42004 🔴 High 8.7 Not Defined < 1% jackson-databind-2.10.5.1.jar Transitive N/A
CVE-2025-52999 🔴 High 8.7 Not Defined < 1% jackson-core-2.10.5.jar Transitive N/A
CVE-2023-6378 🔴 High 8.2 Not Defined < 1% logback-core-1.2.3.jar Transitive N/A
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-core-1.2.3.jar Transitive N/A
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-classic-1.2.3.jar Transitive N/A
CVE-2022-1471 🔴 High 7.4 Functional 93.8% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38749 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38750 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38751 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38752 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2020-10693 🟠 Medium 6.9 Not Defined < 1% hibernate-validator-5.4.2.Final.jar Transitive N/A
CVE-2020-27223 🟠 Medium 6.9 Not Defined 28.099998% jetty-http-9.4.35.v20201120.jar Transitive N/A
CVE-2021-28169 🟠 Medium 6.9 Not Defined 92.1% jetty-servlets-9.4.35.v20201120.jar Transitive N/A
CVE-2021-28169 🟠 Medium 6.9 Not Defined 92.1% jetty-server-9.4.35.v20201120.jar Transitive N/A

Details

🟣CVE-82529-348347

Vulnerable Library - guava-30.1-jre.jar

Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.

Library home page: https://github.com/google/guava

Path to dependency file: /legend-depot-artifacts-refresh/pom.xml

Dependency Hierarchy:

  • guava-30.1-jre.jar (Vulnerable Library)

  • legend-depot-store-status-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar
      • legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
        • guava-30.1-jre.jar (Vulnerable Library)

  • legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar (Root Library)

    • guava-30.1-jre.jar (Vulnerable Library)

  • legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)

    • legend-engine-language-pure-dsl-generation-4.4.5.jar
      • legend-engine-external-shared-4.4.5.jar
        • legend-engine-language-pure-modelManager-4.4.5.jar
          • guava-30.1-jre.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
      • guava-30.1-jre.jar (Vulnerable Library)

Vulnerability Details

Created automatically by the test suite

Publish Date: Jun 07, 2010 05:12 PM

URL: CVE-82529-348347

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2022-42889

Vulnerable Library - commons-text-1.9.jar

Apache Commons Text is a library focused on algorithms working on strings.

Library home page: https://www.apache.org/

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • commons-text-1.9.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • commons-text-1.9.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • commons-text-1.9.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • commons-text-1.9.jar (Vulnerable Library)

Vulnerability Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Mend Note:

Publish Date: Oct 13, 2022 12:00 AM

URL: CVE-2022-42889

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:94.2%

Score: 8.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-599f-7c49-w659

Release Date: Oct 13, 2022 12:00 AM

Fix Resolution : org.apache.commons:commons-text:1.10.0

🔴CVE-2020-36518

Vulnerable Library - jackson-databind-2.10.5.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-core-http/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/jackson-databind-2.10.5.1.jar

Dependency Hierarchy:

  • legend-depot-core-services-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-metrics-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-protocol-pure-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-shared-core-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-protocol-pure-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-shared-core-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Mend Note:

Publish Date: Mar 11, 2022 12:00 AM

URL: CVE-2020-36518

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-57j2-w4cx-62h2

Release Date: Mar 11, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.2.1,com.fasterxml.jackson.core:jackson-databind:2.12.6.1

🔴CVE-2021-28165

Vulnerable Library - jetty-io-9.4.35.v20201120.jar

Library home page: https://webtide.com

Path to dependency file: /legend-depot-server/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar
                • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar
                  • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar
              • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar
            • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Mend Note:

Publish Date: Apr 01, 2021 02:20 PM

URL: CVE-2021-28165

Threat Assessment

Exploit Maturity:Not Defined

EPSS:10.2%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: Apr 01, 2021 02:20 PM

Fix Resolution : org.eclipse.jetty:jetty-server:10.0.2,org.eclipse.jetty:jetty-server:11.0.2

🔴CVE-2021-46877

Vulnerable Library - jackson-databind-2.10.5.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-core-http/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/jackson-databind-2.10.5.1.jar

Dependency Hierarchy:

  • legend-depot-core-services-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-metrics-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-protocol-pure-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-shared-core-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-protocol-pure-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-shared-core-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

Vulnerability Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Mend Note:

Publish Date: Mar 18, 2023 12:00 AM

URL: CVE-2021-46877

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-3x8x-79m2-3w2w

Release Date: Mar 18, 2023 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.6,com.fasterxml.jackson.core:jackson-databind:2.13.1

🔴CVE-2022-25857

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Mend Note:

Publish Date: Aug 30, 2022 05:05 AM

URL: CVE-2022-25857

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-3mc7-4q67-w48m

Release Date: Aug 30, 2022 05:05 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-42003

Vulnerable Library - jackson-databind-2.10.5.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-core-http/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/jackson-databind-2.10.5.1.jar

Dependency Hierarchy:

  • legend-depot-core-services-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-metrics-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-protocol-pure-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-shared-core-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-protocol-pure-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-shared-core-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Mend Note:

Publish Date: Oct 02, 2022 12:00 AM

URL: CVE-2022-42003

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-jjjh-jjxp-wpff

Release Date: Oct 02, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.4.2,com.fasterxml.jackson.core:jackson-databind:2.12.7.1

🔴CVE-2022-42004

Vulnerable Library - jackson-databind-2.10.5.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-core-http/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/jackson-databind-2.10.5.1.jar

Dependency Hierarchy:

  • legend-depot-core-services-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-metrics-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-protocol-pure-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-shared-core-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-protocol-pure-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-databind-2.10.5.1.jar (Vulnerable Library)

  • legend-engine-shared-core-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-databind-2.10.5.1.jar (Vulnerable Library)

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Mend Note:

Publish Date: Oct 02, 2022 12:00 AM

URL: CVE-2022-42004

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-rgv9-q543-rqg4

Release Date: Oct 02, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.7.1,com.fasterxml.jackson.core:jackson-databind:2.13.4

🔴CVE-2025-52999

Vulnerable Library - jackson-core-2.10.5.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /legend-depot-core-authorisation/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.10.5/jackson-core-2.10.5.jar

Dependency Hierarchy:

  • legend-depot-core-services-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-store-metrics-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar
      • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
        • jackson-databind-2.10.5.1.jar
          • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-engine-protocol-pure-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-authorisation-1.7.6-SNAPSHOT.jar
      • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
        • legend-engine-shared-core-4.4.5.jar
          • legend-engine-protocol-4.4.5.jar
            • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar
      • legend-engine-shared-core-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-core-tracing-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-shared-core-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-engine-protocol-pure-4.4.5.jar
      • legend-engine-protocol-4.4.5.jar
        • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-model-1.7.6-SNAPSHOT.jar
      • legend-engine-protocol-pure-4.4.5.jar
        • legend-engine-protocol-4.4.5.jar
          • jackson-core-2.10.5.jar (Vulnerable Library)

  • legend-engine-shared-core-4.4.5.jar (Root Library)

    • legend-engine-protocol-4.4.5.jar
      • jackson-core-2.10.5.jar (Vulnerable Library)

Vulnerability Details

Impact With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. Patches jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in FasterXML/jackson-core#943. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. Workarounds Users should avoid parsing input files from untrusted sources.

Publish Date: Jun 27, 2025 05:00 PM

URL: CVE-2025-52999

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2023-6378

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-artifacts-refresh/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-core-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-core-1.2.3.jar (Vulnerable Library)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Mend Note:

Publish Date: Nov 29, 2023 12:02 PM

URL: CVE-2023-6378

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-vmq6-5m68-f53m

Release Date: Nov 29, 2023 12:02 PM

Fix Resolution : ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13

🔴CVE-2021-42550

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-artifacts-refresh/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-core-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-core-1.2.3.jar (Vulnerable Library)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2021-42550

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-classic-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-classic-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2022-1471

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: Dec 01, 2022 10:47 AM

URL: CVE-2022-1471

Threat Assessment

Exploit Maturity:Functional

EPSS:93.8%

Score: 7.4

Suggested Fix

Type: Upgrade version

Origin: GHSA-mjmj-j48q-9wg2

Release Date: Dec 01, 2022 10:47 AM

Fix Resolution : org.yaml:snakeyaml:2.0

🔴CVE-2022-38749

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38749

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-c4r9-r8fh-9vj2

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38750

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38750

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhhw-99gj-p3c3

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38751

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38751

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-98wm-3w3q-mw94

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38752

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38752

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.32

🟠CVE-2020-10693

Vulnerable Library - hibernate-validator-5.4.2.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-validation-1.3.29.jar
          • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-validation-1.3.29.jar
            • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-validation-1.3.29.jar
        • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-validation-1.3.29.jar
      • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: May 06, 2020 01:03 PM

URL: CVE-2020-10693

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-rmrm-75hp-phr2

Release Date: May 06, 2020 01:03 PM

Fix Resolution : org.hibernate.validator:hibernate-validator:6.1.5.Final,org.hibernate.validator:hibernate-validator:6.0.20.Final

🟠CVE-2020-27223

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Mend Note:

Publish Date: Feb 26, 2021 09:55 PM

URL: CVE-2020-27223

Threat Assessment

Exploit Maturity:Not Defined

EPSS:28.099998%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: Feb 26, 2021 09:55 PM

Fix Resolution : org.eclipse.jetty:jetty-server:11.0.1,org.eclipse.jetty:jetty-server:10.0.1

🟠CVE-2021-28169

Vulnerable Library - jetty-servlets-9.4.35.v20201120.jar

Utility Servlets from Jetty

Library home page: https://webtide.com

Path to dependency file: /legend-depot-server/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-jetty-1.3.29.jar
          • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-jetty-1.3.29.jar
            • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-jetty-1.3.29.jar
        • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-jetty-1.3.29.jar
      • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to "/concat?/%2557EB-INF/web.xml" can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 09, 2021 01:55 AM

URL: CVE-2021-28169

Threat Assessment

Exploit Maturity:Not Defined

EPSS:92.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: Jun 09, 2021 01:55 AM

Fix Resolution : org.eclipse.jetty:jetty-servlets:10.0.3,org.eclipse.jetty:jetty-servlets:11.0.3

🟠CVE-2021-28169

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /legend-depot-store-notifications/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to "/concat?/%2557EB-INF/web.xml" can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 09, 2021 01:55 AM

URL: CVE-2021-28169

Threat Assessment

Exploit Maturity:Not Defined

EPSS:92.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: Jun 09, 2021 01:55 AM

Fix Resolution : org.eclipse.jetty:jetty-servlets:10.0.3,org.eclipse.jetty:jetty-servlets:11.0.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions