Skip to content

spring-rabbit-1.7.1.RELEASE.jar: 65 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable) #81

Open
Open
spring-rabbit-1.7.1.RELEASE.jar: 65 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable)#81
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - spring-rabbit-1.7.1.RELEASE.jar

Spring RabbitMQ Support

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-rabbit/1.7.1.RELEASE/spring-rabbit-1.7.1.RELEASE.jar

Partial results (25 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2015-4473 🟣 Critical 9.3 Not Defined 3.7% jackson-databind-2.9.10.4.jar Transitive N/A
CVE-2016-1000027 🟣 Critical 9.3 Not Defined 59.2% spring-web-4.3.7.RELEASE.jar Transitive N/A Reachable
CVE-2017-8045 🟣 Critical 9.3 Not Defined 2.8000002% spring-amqp-1.7.1.RELEASE.jar Transitive N/A Unreachable
CVE-2018-1270 🟣 Critical 9.3 Not Defined 89.4% spring-messaging-4.3.7.RELEASE.jar Transitive N/A Reachable
CVE-2019-17571 🟣 Critical 9.3 Not Defined 43.2% jackson-databind-2.9.10.4.jar Transitive N/A
CVE-2020-5421 🟣 Critical 9.3 Not Defined 63.800003% spring-web-4.3.7.RELEASE.jar Transitive N/A Reachable
CVE-2022-22965 🟣 Critical 9.3 High 94.4% spring-beans-4.3.7.RELEASE.jar Transitive N/A Reachable
CVE-2025-919191 🟣 Critical 9.3 N/A N/A spring-aop-4.3.7.RELEASE.jar Transitive N/A
CVE-2020-14060 🟣 Critical 9.2 Not Defined 9.4% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-14061 🟣 Critical 9.2 Not Defined 6.3% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-14062 🟣 Critical 9.2 Not Defined 7.7% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-14195 🟣 Critical 9.2 Not Defined 10.3% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-24616 🟣 Critical 9.2 Not Defined 3.6% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-24750 🟣 Critical 9.2 Not Defined 2.1% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-35490 🟣 Critical 9.2 Not Defined 6.4% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-35491 🟣 Critical 9.2 Not Defined 9.099999% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-35728 🟣 Critical 9.2 Not Defined 41.4% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36179 🟣 Critical 9.2 Not Defined 60.3% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36180 🟣 Critical 9.2 Not Defined 2.2% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36181 🟣 Critical 9.2 Not Defined 7.0% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36182 🟣 Critical 9.2 Not Defined 2.3% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36183 🟣 Critical 9.2 Not Defined 2.1% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36184 🟣 Critical 9.2 Not Defined 7.5000005% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36185 🟣 Critical 9.2 Not Defined 3.0% jackson-databind-2.9.10.4.jar Transitive N/A Reachable
CVE-2020-36186 🟣 Critical 9.2 Not Defined 2.6000001% jackson-databind-2.9.10.4.jar Transitive N/A Reachable

Details

🟣CVE-2015-4473

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Vulnerability Details

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Publish Date: Aug 16, 2015 01:00 AM

URL: CVE-2015-4473

Threat Assessment

Exploit Maturity:Not Defined

EPSS:3.7%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-4473

Release Date: Aug 16, 2015 01:59 AM

Fix Resolution : firefox - 38.2.0-4,38.2.0-4,38.2.0-4,38.2.0-4;firefox-debuginfo - 38.2.0-4,38.2.0-4;thunderbird - 38.2.0-1,38.2.0-1;thunderbird-debuginfo - 38.2.0-1

🟣CVE-2016-1000027

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.7.RELEASE/spring-web-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.bind.EscapedErrors (Extension)
        - org.springframework.web.util.HtmlUtils (Extension)
            - org.springframework.web.util.WebUtils (Extension)
                -> ❌ org.springframework.web.util.UriComponentsBuilder (Vulnerable Component)

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: Jan 02, 2020 12:00 AM

URL: CVE-2016-1000027

Threat Assessment

Exploit Maturity:Not Defined

EPSS:59.2%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: Jan 02, 2020 12:00 AM

Fix Resolution : org.springframework:spring-web:6.0.0

🟣CVE-2017-8045

Vulnerable Library - spring-amqp-1.7.1.RELEASE.jar

Spring AMQP Core

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/1.7.1.RELEASE/spring-amqp-1.7.1.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-amqp-1.7.1.RELEASE.jar (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

Publish Date: Nov 27, 2017 10:00 AM

URL: CVE-2017-8045

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.8000002%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-2018-1270

Vulnerable Library - spring-messaging-4.3.7.RELEASE.jar

Spring Messaging

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/4.3.7.RELEASE/spring-messaging-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-messaging-4.3.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.handler.annotation.support.HeaderMethodArgumentResolver (Extension)
                -> ❌ org.springframework.messaging.handler.annotation.Header (Vulnerable Component)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1270

Threat Assessment

Exploit Maturity:Not Defined

EPSS:89.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-p5hg-3xm3-gcjg

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-messaging:4.3.16.RELEASE,org.springframework:spring-messaging:5.0.5.RELEASE

🟣CVE-2019-17571

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: Dec 20, 2019 04:01 PM

URL: CVE-2019-17571

Threat Assessment

Exploit Maturity:Not Defined

EPSS:43.2%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: Dec 20, 2019 04:01 PM

Fix Resolution : log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

🟣CVE-2020-5421

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.7.RELEASE/spring-web-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.bind.EscapedErrors (Extension)
        - org.springframework.web.util.HtmlUtils (Extension)
            -> ❌ org.springframework.web.util.WebUtils (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: Sep 19, 2020 03:45 AM

URL: CVE-2020-5421

Threat Assessment

Exploit Maturity:Not Defined

EPSS:63.800003%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: Sep 19, 2020 03:45 AM

Fix Resolution : org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9

🟣CVE-2022-22965

Vulnerable Library - spring-beans-4.3.7.RELEASE.jar

Spring Beans

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.7.RELEASE/spring-beans-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar
      • spring-aop-4.3.7.RELEASE.jar
        • spring-beans-4.3.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.UserController (Application)
    - org.springframework.validation.DirectFieldBindingResult (Extension)
        - org.springframework.beans.PropertyAccessorFactory (Extension)
            - org.springframework.beans.BeanWrapperImpl (Extension)
                -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.

Publish Date: Apr 01, 2022 10:17 PM

URL: CVE-2022-22965

Threat Assessment

Exploit Maturity:High

EPSS:94.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-36p3-wjmg-h94x

Release Date: Apr 01, 2022 10:17 PM

Fix Resolution : org.springframework:spring-webflux:5.2.20.RELEASE,org.springframework:spring-webflux:5.3.18,org.springframework:spring-webmvc:5.3.18,org.springframework:spring-webmvc:5.2.20.RELEASE,org.springframework:spring-beans:5.2.20.RELEASE,org.springframework.boot:spring-boot-starter-webflux:2.5.12,org.springframework.boot:spring-boot-starter-webflux:2.6.6,org.springframework:spring-beans:5.3.18,org.springframework.boot:spring-boot-starter-web:2.5.12,org.springframework.boot:spring-boot-starter-web:2.6.6

🟣CVE-2025-919191

Vulnerable Library - spring-aop-4.3.7.RELEASE.jar

Spring AOP

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-aop/4.3.7.RELEASE/spring-aop-4.3.7.RELEASE.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar
      • spring-aop-4.3.7.RELEASE.jar (Vulnerable Library)

Vulnerability Details

this is a test vulnerability for gitlab integration

Publish Date: Oct 28, 2025 10:00 PM

URL: CVE-2025-919191

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟣CVE-2020-14060

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Publish Date: Jun 14, 2020 08:46 PM

URL: CVE-2020-14060

Threat Assessment

Exploit Maturity:Not Defined

EPSS:9.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-j823-4qch-3rgm

Release Date: Jun 14, 2020 08:46 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14061

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Publish Date: Jun 14, 2020 07:42 PM

URL: CVE-2020-14061

Threat Assessment

Exploit Maturity:Not Defined

EPSS:6.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2q3-4qrh-fm48

Release Date: Jun 14, 2020 07:42 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14062

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Publish Date: Jun 14, 2020 07:42 PM

URL: CVE-2020-14062

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.7%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-c265-37vj-cwcc

Release Date: Jun 14, 2020 07:42 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-14195

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Publish Date: Jun 16, 2020 03:07 PM

URL: CVE-2020-14195

Threat Assessment

Exploit Maturity:Not Defined

EPSS:10.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-mc6h-4qgp-37qh

Release Date: Jun 16, 2020 03:07 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.5

🟣CVE-2020-24616

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Publish Date: Aug 25, 2020 05:04 PM

URL: CVE-2020-24616

Threat Assessment

Exploit Maturity:Not Defined

EPSS:3.6%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-h3cw-g4mq-c5x2

Release Date: Aug 25, 2020 05:04 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.6

🟣CVE-2020-24750

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Publish Date: Sep 17, 2020 06:39 PM

URL: CVE-2020-24750

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.1%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-qjw2-hr98-qgfh

Release Date: Sep 17, 2020 06:39 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.6

🟣CVE-2020-35490

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: Dec 17, 2020 06:43 PM

URL: CVE-2020-35490

Threat Assessment

Exploit Maturity:Not Defined

EPSS:6.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh8g-3j2c-rqj5

Release Date: Dec 17, 2020 06:43 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-35491

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Publish Date: Dec 17, 2020 06:43 PM

URL: CVE-2020-35491

Threat Assessment

Exploit Maturity:Not Defined

EPSS:9.099999%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-r3gr-cxrf-hg25

Release Date: Dec 17, 2020 06:43 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-35728

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Publish Date: Dec 27, 2020 04:32 AM

URL: CVE-2020-35728

Threat Assessment

Exploit Maturity:Not Defined

EPSS:41.4%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-5r5r-6hpj-8gg9

Release Date: Dec 27, 2020 04:32 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36179

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36179

Threat Assessment

Exploit Maturity:Not Defined

EPSS:60.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-9gph-22xh-8x98

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36180

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36180

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.2%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-8c4j-34r4-xr8g

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5

🟣CVE-2020-36181

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:29 PM

URL: CVE-2020-36181

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.0%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-cvm9-fjm9-3572

Release Date: Jan 06, 2021 10:29 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36182

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36182

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.3%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-89qr-369f-5m5x

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8,com.fasterxml.jackson.core:jackson-databind:2.6.7.5

🟣CVE-2020-36183

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36183

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.1%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-9m6f-7xcq-8vf8

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.6.7.5,com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36184

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: Jan 06, 2021 10:30 PM

URL: CVE-2020-36184

Threat Assessment

Exploit Maturity:Not Defined

EPSS:7.5000005%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6x4-97wx-4q27

Release Date: Jan 06, 2021 10:30 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36185

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Publish Date: Jan 06, 2021 10:29 PM

URL: CVE-2020-36185

Threat Assessment

Exploit Maturity:Not Defined

EPSS:3.0%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-8w26-6f25-cm9x

Release Date: Jan 06, 2021 10:29 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

🟣CVE-2020-36186

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.4/jackson-databind-2.9.10.4.jar

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
                - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                    - com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Extension)
                        -> ❌ com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Publish Date: Jan 06, 2021 10:29 PM

URL: CVE-2020-36186

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.6000001%

Score: 9.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-v585-23hc-c647

Release Date: Jan 06, 2021 10:29 PM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions