Vulnerable Library - spring-rabbit-1.7.1.RELEASE.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2022-22965
Vulnerable Library - spring-beans-4.3.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring-beans-4.3.7.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- spring-web-4.3.7.RELEASE.jar
- spring-aop-4.3.7.RELEASE.jar
- ❌ spring-beans-4.3.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
org.springframework.beans.CachedIntrospectionResults (Application)
-> org.springframework.context.support.AbstractApplicationContext (Extension)
-> org.springframework.validation.beanvalidation.OptionalValidatorFactoryBean (Extension)
-> com.visualpathit.account.validator.UserValidator (Extension)
-> ❌ com.visualpathit.account.controller.UserController (Vulnerable Component)
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.
Mend Note:
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-36p3-wjmg-h94x
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-1275
Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar
Spring Messaging
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- ❌ spring-messaging-4.3.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
org.springframework.messaging.simp.broker.DefaultSubscriptionRegistry (Application)
-> org.springframework.messaging.simp.broker.SimpleBrokerMessageHandler (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
Mend Note:
Publish Date: 2018-04-11
URL: CVE-2018-1275
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rmv-2pg5-xvqj
Release Date: 2018-04-11
Fix Resolution: org.springframework:spring-messaging:5.0.5.RELEASE,org.springframework:spring-messaging:4.3.16.RELEASE
CVE-2018-1270
Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar
Spring Messaging
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- ❌ spring-messaging-4.3.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
org.springframework.messaging.simp.broker.DefaultSubscriptionRegistry (Application)
-> org.springframework.messaging.simp.broker.SimpleBrokerMessageHandler (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Mend Note:
Publish Date: 2018-04-06
URL: CVE-2018-1270
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p5hg-3xm3-gcjg
Release Date: 2018-04-06
Fix Resolution (org.springframework:spring-messaging): 4.3.16.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.9.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-20190
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Publish Date: 2021-01-19
URL: CVE-2021-20190
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5949-rw7g-wx7w
Release Date: 2021-01-19
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.7
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36189
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36189
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vfqx-33qm-g869
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
CVE-2020-36188
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36188
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f9xh-2qgp-cq57
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
CVE-2020-36187
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36187
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r695-7vr9-jgc2
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
CVE-2020-36186
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36186
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v585-23hc-c647
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
CVE-2020-36185
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36185
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8w26-6f25-cm9x
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
CVE-2020-36184
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36184
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-m6x4-97wx-4q27
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36183
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36183
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9m6f-7xcq-8vf8
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8
CVE-2020-36182
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36182
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-89qr-369f-5m5x
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
CVE-2020-36181
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
- spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
- ❌ jackson-databind-2.9.10.4.jar (Vulnerable Library)
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Application)
-> com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
-> com.fasterxml.jackson.databind.DeserializationContext (Extension)
-> com.fasterxml.jackson.databind.ObjectWriter (Extension)
...
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
-> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
-> ❌ com.visualpathit.account.validator.UserValidator (Vulnerable Component)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36181
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cvm9-fjm9-3572
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.7.RELEASE/spring-core-4.3.7.RELEASE.jar
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-beans-4.3.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring-beans-4.3.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.
Mend Note:
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-36p3-wjmg-h94x
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.1.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar
Spring Messaging
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
Mend Note:
Publish Date: 2018-04-11
URL: CVE-2018-1275
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3rmv-2pg5-xvqj
Release Date: 2018-04-11
Fix Resolution: org.springframework:spring-messaging:5.0.5.RELEASE,org.springframework:spring-messaging:4.3.16.RELEASE
Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar
Spring Messaging
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Mend Note:
Publish Date: 2018-04-06
URL: CVE-2018-1270
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p5hg-3xm3-gcjg
Release Date: 2018-04-06
Fix Resolution (org.springframework:spring-messaging): 4.3.16.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.9.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Publish Date: 2021-01-19
URL: CVE-2021-20190
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5949-rw7g-wx7w
Release Date: 2021-01-19
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.7
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36189
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vfqx-33qm-g869
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36188
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f9xh-2qgp-cq57
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36187
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r695-7vr9-jgc2
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36186
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v585-23hc-c647
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36185
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8w26-6f25-cm9x
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36184
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-m6x4-97wx-4q27
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36183
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9m6f-7xcq-8vf8
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36182
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-89qr-369f-5m5x
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5
Vulnerable Library - jackson-databind-2.9.10.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar
Dependency Hierarchy:
Found in HEAD commit: c79f8c12a30b195a60149473e53dca53289d8e77
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Mend Note:
Publish Date: 2021-01-06
URL: CVE-2020-36181
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cvm9-fjm9-3572
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.