Skip to content

spring-rabbit-1.7.1.RELEASE.jar: 54 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable) #263

Open
Open
spring-rabbit-1.7.1.RELEASE.jar: 54 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable)#263
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - spring-rabbit-1.7.1.RELEASE.jar

Spring RabbitMQ Support

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-rabbit/1.7.1.RELEASE/spring-rabbit-1.7.1.RELEASE.jar

Partial results (29 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2017-17485 🟣 Critical 9.3 Not Defined 76.9% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2017-7525 🟣 Critical 9.3 Not Defined 79.6% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2017-8045 🟣 Critical 9.3 Not Defined 2.8000002% spring-amqp-1.7.1.RELEASE.jar Transitive N/A Unreachable
CVE-2018-11307 🟣 Critical 9.3 Not Defined 12.9% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2018-1270 🟣 Critical 9.3 Not Defined 89.4% spring-messaging-4.3.7.RELEASE.jar Transitive N/A Reachable
CVE-2018-18753 🟣 Critical 9.3 N/A N/A jackson-databind-2.8.4.jar Transitive N/A
CVE-2018-19360 🟣 Critical 9.3 Not Defined 7.2999997% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-14540 🟣 Critical 9.3 Not Defined 7.2999997% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-16942 🟣 Critical 9.3 Not Defined < 1% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-16943 🟣 Critical 9.3 Not Defined 1.9% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-17267 🟣 Critical 9.3 Not Defined 1.4000001% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-20330 🟣 Critical 9.3 Not Defined 1.7% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-9548 🟣 Critical 9.3 Not Defined 70.4% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2019-10202 🟣 Critical 9.2 Not Defined 1.9% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-10650 🟣 Critical 9.2 Not Defined 7.7% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-11619 🟣 Critical 9.2 Not Defined 1.7% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-14060 🟣 Critical 9.2 Not Defined 9.4% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-14061 🟣 Critical 9.2 Not Defined 6.3% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-14062 🟣 Critical 9.2 Not Defined 7.7% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-14195 🟣 Critical 9.2 Not Defined 10.3% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-24616 🟣 Critical 9.2 Not Defined 3.6% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-24750 🟣 Critical 9.2 Not Defined 2.1% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-35490 🟣 Critical 9.2 Not Defined 6.4% jackson-databind-2.8.4.jar Transitive N/A
CVE-2020-35491 🟣 Critical 9.2 Not Defined 9.099999% jackson-databind-2.8.4.jar Transitive N/A
CVE-2020-35728 🟣 Critical 9.2 Not Defined 41.4% jackson-databind-2.8.4.jar Transitive N/A
CVE-2020-36179 🟣 Critical 9.2 Not Defined 60.3% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-36180 🟣 Critical 9.2 Not Defined 2.2% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-36181 🟣 Critical 9.2 Not Defined 7.0% jackson-databind-2.8.4.jar Transitive N/A Reachable
CVE-2020-36182 🟣 Critical 9.2 Not Defined 2.3% jackson-databind-2.8.4.jar Transitive N/A Reachable

Details

🟣CVE-2017-17485

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.web.servlet.mvc.method.annotation.JsonViewRequestBodyAdvice (Extension)
                - org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter (Extension)
                    - com.fasterxml.jackson.databind.ObjectReader (Extension)
                        - com.fasterxml.jackson.databind.deser.std.PrimitiveArrayDeserializers$LongDeser (Extension)
                            -> ❌ com.fasterxml.jackson.databind.type.CollectionLikeType (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: Jan 10, 2018 06:00 PM

URL: CVE-2017-17485

Threat Assessment

Exploit Maturity:Not Defined

EPSS:76.9%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-rfx6-vp9g-rh7v

Release Date: Jan 10, 2018 06:00 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.4,com.fasterxml.jackson.core:jackson-databind:2.7.9.2,com.fasterxml.jackson.core:jackson-databind:2.8.11

🟣CVE-2017-7525

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: Feb 06, 2018 03:00 PM

URL: CVE-2017-7525

Threat Assessment

Exploit Maturity:Not Defined

EPSS:79.6%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-qxxx-2pp7-5hmx

Release Date: Feb 06, 2018 03:00 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.1,com.fasterxml.jackson.core:jackson-databind:2.7.9.1,com.fasterxml.jackson.core:jackson-databind:2.8.9

🟣CVE-2017-8045

Vulnerable Library - spring-amqp-1.7.1.RELEASE.jar

Spring AMQP Core

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/1.7.1.RELEASE/spring-amqp-1.7.1.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-amqp-1.7.1.RELEASE.jar (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

Publish Date: Nov 27, 2017 10:00 AM

URL: CVE-2017-8045

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.8000002%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-2018-11307

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.Module$SetupContext (Vulnerable Component)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: Jul 09, 2019 03:37 PM

URL: CVE-2018-11307

Threat Assessment

Exploit Maturity:Not Defined

EPSS:12.9%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-qr7j-h6gg-jmgc

Release Date: Jul 09, 2019 03:37 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.7.9.4,com.fasterxml.jackson.core:jackson-databind:2.8.11.2,com.fasterxml.jackson.core:jackson-databind:2.9.6

🟣CVE-2018-1270

Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar

Spring Messaging

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-messaging-4.3.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            -> ❌ org.springframework.messaging.simp.config.MessageBrokerRegistry (Vulnerable Component)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1270

Threat Assessment

Exploit Maturity:Not Defined

EPSS:89.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-p5hg-3xm3-gcjg

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-messaging:4.3.16.RELEASE,org.springframework:spring-messaging:5.0.5.RELEASE

🟣CVE-2018-18753

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Vulnerability Details

Typecho V1.1 allows remote attackers to send shell commands via base64-encoded serialized data, as demonstrated by SSRF.

Publish Date: Oct 03, 2022 04:22 PM

URL: CVE-2018-18753

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-2018-19360

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: Jan 02, 2019 06:00 PM

URL: CVE-2018-19360

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.2999997%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9hv-mg5h-xcw9

Release Date: Jan 02, 2019 06:00 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.8.11.3,com.fasterxml.jackson.core:jackson-databind:2.9.8,com.fasterxml.jackson.core:jackson-databind:2.7.9.5

🟣CVE-2019-14540

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: Sep 15, 2019 09:45 PM

URL: CVE-2019-14540

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.2999997%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-h822-r4r5-v8jg

Release Date: Sep 15, 2019 09:45 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10,com.fasterxml.jackson.core:jackson-databind:2.8.11.5,com.fasterxml.jackson.core:jackson-databind:2.9.10,com.fasterxml.jackson.core:jackson-databind:2.6.7.3

🟣CVE-2019-16942

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: Oct 01, 2019 04:04 PM

URL: CVE-2019-16942

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-mx7p-6679-8g3q

Release Date: Oct 01, 2019 04:04 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.8.11.5,com.fasterxml.jackson.core:jackson-databind:2.6.7.3,com.fasterxml.jackson.core:jackson-databind:2.9.10.1

🟣CVE-2019-16943

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: Oct 01, 2019 04:06 PM

URL: CVE-2019-16943

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.9%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-fmmc-742q-jg75

Release Date: Oct 01, 2019 04:06 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.1,com.fasterxml.jackson.core:jackson-databind:2.8.11.5,com.fasterxml.jackson.core:jackson-databind:2.6.7.3

🟣CVE-2019-17267

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: Oct 06, 2019 11:08 PM

URL: CVE-2019-17267

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.4000001%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-f3j5-rmmp-3fc5

Release Date: Oct 06, 2019 11:08 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.8.11.5,com.fasterxml.jackson.core:jackson-databind:2.9.10

🟣CVE-2019-20330

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.http.converter.json.Jackson2ObjectMapperBuilder (Extension)
                - com.fasterxml.jackson.databind.ser.FilterProvider (Extension)
                    - com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter (Extension)
                        - com.fasterxml.jackson.databind.ser.impl.FilteredBeanPropertyWriter$MultiView (Extension)
                            - com.fasterxml.jackson.databind.ser.std.InetAddressSerializer (Extension)
                                - com.fasterxml.jackson.databind.deser.impl.ObjectIdReferenceProperty (Extension)
                                    - com.fasterxml.jackson.databind.deser.std.PrimitiveArrayDeserializers (Extension)
                                        -> ❌ com.fasterxml.jackson.databind.deser.ContextualDeserializer (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: Jan 03, 2020 03:35 AM

URL: CVE-2019-20330

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.7%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-gww7-p5w4-wrfv

Release Date: Jan 03, 2020 03:35 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.2,com.fasterxml.jackson.core:jackson-databind:2.6.7.4,com.fasterxml.jackson.core:jackson-databind:2.8.11.5,com.fasterxml.jackson.core:jackson-databind:2.7.9.7

🟣CVE-2020-9548

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: Mar 02, 2020 03:58 AM

URL: CVE-2020-9548

Threat Assessment

Exploit Maturity:Not Defined

EPSS:70.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-p43x-xfjf-5jhr

Release Date: Mar 02, 2020 03:58 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.4,com.fasterxml.jackson.core:jackson-databind:2.8.11.6,com.fasterxml.jackson.core:jackson-databind:2.7.9.7

🟣CVE-2019-10202

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: Oct 01, 2019 02:22 PM

URL: CVE-2019-10202

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.9%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: Oct 01, 2019 02:22 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.0.0

🟣CVE-2020-10650

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                - com.fasterxml.jackson.databind.ser.SerializerFactory (Extension)
                    -> ❌ com.fasterxml.jackson.databind.ser.std.UUIDSerializer (Vulnerable Component)

Vulnerability Details

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Publish Date: Dec 26, 2022 12:00 AM

URL: CVE-2020-10650

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.7%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-rpr3-cw39-3pxh

Release Date: Dec 26, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.4

🟣CVE-2020-11619

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: Apr 07, 2020 10:14 PM

URL: CVE-2020-11619

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.7%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-27xj-rqx5-2255

Release Date: Apr 07, 2020 10:14 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.4

🟣CVE-2020-14060

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Publish Date: Jun 14, 2020 08:46 PM

URL: CVE-2020-14060

Threat Assessment

Exploit Maturity:Not Defined

EPSS:9.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-j823-4qch-3rgm

Release Date: Jun 14, 2020 08:46 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14061

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Publish Date: Jun 14, 2020 07:42 PM

URL: CVE-2020-14061

Threat Assessment

Exploit Maturity:Not Defined

EPSS:6.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2q3-4qrh-fm48

Release Date: Jun 14, 2020 07:42 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14062

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Publish Date: Jun 14, 2020 07:42 PM

URL: CVE-2020-14062

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.7%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-c265-37vj-cwcc

Release Date: Jun 14, 2020 07:42 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14195

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Publish Date: Jun 16, 2020 03:07 PM

URL: CVE-2020-14195

Threat Assessment

Exploit Maturity:Not Defined

EPSS:10.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-mc6h-4qgp-37qh

Release Date: Jun 16, 2020 03:07 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-24616

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Publish Date: Aug 25, 2020 05:04 PM

URL: CVE-2020-24616

Threat Assessment

Exploit Maturity:Not Defined

EPSS:3.6%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-h3cw-g4mq-c5x2

Release Date: Aug 25, 2020 05:04 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.6

🟣CVE-2020-24750

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Publish Date: Sep 17, 2020 06:39 PM

URL: CVE-2020-24750

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.1%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-qjw2-hr98-qgfh

Release Date: Sep 17, 2020 06:39 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.6

🟣CVE-2020-35490

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: Dec 17, 2020 06:43 PM

URL: CVE-2020-35490

Threat Assessment

Exploit Maturity:Not Defined

EPSS:6.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh8g-3j2c-rqj5

Release Date: Dec 17, 2020 06:43 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-35491

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Publish Date: Dec 17, 2020 06:43 PM

URL: CVE-2020-35491

Threat Assessment

Exploit Maturity:Not Defined

EPSS:9.099999%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-r3gr-cxrf-hg25

Release Date: Dec 17, 2020 06:43 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-35728

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Publish Date: Dec 27, 2020 04:32 AM

URL: CVE-2020-35728

Threat Assessment

Exploit Maturity:Not Defined

EPSS:41.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-5r5r-6hpj-8gg9

Release Date: Dec 27, 2020 04:32 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36179

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36179

Threat Assessment

Exploit Maturity:Not Defined

EPSS:60.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-9gph-22xh-8x98

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36180

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36180

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.2%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-8c4j-34r4-xr8g

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36181

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:29 PM

URL: CVE-2020-36181

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.0%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-cvm9-fjm9-3572

Release Date: Jan 06, 2021 10:29 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36182

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.8.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36182

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-89qr-369f-5m5x

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions