Skip to content

spring-rabbit-1.7.1.RELEASE.jar: 62 vulnerabilities (highest severity is: 9.8) #14

Open
Open
spring-rabbit-1.7.1.RELEASE.jar: 62 vulnerabilities (highest severity is: 9.8)#14
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Nov 7, 2023
Vulnerable Library - spring-rabbit-1.7.1.RELEASE.jar

Spring RabbitMQ Support

Library home page: https://projects.spring.io/spring-amqp

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-rabbit version) Remediation Possible** Reachability
CVE-2022-22965 Critical 9.8 spring-beans-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2017-8045 Critical 9.8 spring-amqp-1.7.1.RELEASE.jar Transitive N/A*
CVE-2016-1000027 Critical 9.8 spring-web-4.3.7.RELEASE.jar Transitive 2.0.3.RELEASE
CVE-2020-36184 High 8.8 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36182 High 8.8 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36181 High 8.8 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36180 High 8.8 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36179 High 8.8 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2024-22262 High 8.1 spring-web-4.3.7.RELEASE.jar Transitive 2.1.0.RELEASE
CVE-2024-22259 High 8.1 spring-web-4.3.7.RELEASE.jar Transitive 2.1.0.RELEASE
CVE-2024-22243 High 8.1 spring-web-4.3.7.RELEASE.jar Transitive 2.1.0.RELEASE
CVE-2021-20190 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36189 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36188 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36187 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36186 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36185 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-36183 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-35728 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-35491 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-35490 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-24750 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-24616 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-14195 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-14062 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-14061 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2020-14060 High 8.1 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
WS-2026-0003 High 7.5 jackson-core-2.9.10.jar Transitive 2.1.0.RELEASE
WS-2022-0468 High 7.5 jackson-core-2.9.10.jar Transitive 2.1.0.RELEASE
CVE-2025-52999 High 7.5 jackson-core-2.9.10.jar Transitive 2.1.0.RELEASE
CVE-2025-41249 High 7.5 spring-core-4.3.7.RELEASE.jar Transitive N/A*
CVE-2022-42004 High 7.5 jackson-databind-2.9.10.4.jar Transitive 2.1.0.RELEASE
CVE-2022-42003 High 7.5 jackson-databind-2.9.10.4.jar Transitive 2.1.0.RELEASE
CVE-2020-25649 High 7.5 jackson-databind-2.9.10.4.jar Transitive 1.7.2.RELEASE
CVE-2018-15756 High 7.5 detected in multiple dependencies Transitive 2.0.3.RELEASE
CVE-2018-1272 High 7.5 spring-core-4.3.7.RELEASE.jar Transitive 2.0.13.RELEASE
CVE-2018-11040 High 7.5 detected in multiple dependencies Transitive 2.0.3.RELEASE
WS-2019-0379 Medium 6.5 commons-codec-1.6.jar Transitive N/A*
CVE-2023-20863 Medium 6.5 spring-expression-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2023-20861 Medium 6.5 spring-expression-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2022-22971 Medium 6.5 spring-messaging-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2022-22950 Medium 6.5 spring-expression-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2020-5421 Medium 6.5 spring-web-4.3.7.RELEASE.jar Transitive 2.0.3.RELEASE
CVE-2018-1257 Medium 6.5 spring-messaging-4.3.7.RELEASE.jar Transitive 1.7.9.RELEASE
CVE-2025-41242 Medium 5.9 spring-beans-4.3.7.RELEASE.jar Transitive N/A*
CVE-2018-11087 Medium 5.9 detected in multiple dependencies Direct com.rabbitmq:amqp-client:4.8.0,com.rabbitmq:amqp-client:5.4.0
CVE-2018-11039 Medium 5.9 spring-web-4.3.7.RELEASE.jar Transitive 2.0.3.RELEASE
WS-2017-3734 Medium 5.3 httpclient-4.3.6.jar Transitive 2.0.2.RELEASE
CVE-2024-38828 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2024-38809 Medium 5.3 spring-web-4.3.7.RELEASE.jar Transitive 2.1.0.RELEASE
CVE-2022-22970 Medium 5.3 detected in multiple dependencies Transitive 2.3.6
CVE-2022-22968 Medium 5.3 spring-context-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2020-13956 Medium 5.3 httpclient-4.3.6.jar Transitive 2.1.0.RELEASE
CVE-2018-1199 Medium 5.3 spring-core-4.3.7.RELEASE.jar Transitive 2.0.13.RELEASE
CVE-2023-34050 Medium 5.0 spring-amqp-1.7.1.RELEASE.jar Transitive 2.4.17
CVE-2023-46120 Medium 4.9 amqp-client-4.0.1.jar Transitive 3.1.0
CVE-2024-38808 Medium 4.3 spring-expression-4.3.7.RELEASE.jar Transitive 2.1.1.RELEASE
CVE-2021-22096 Medium 4.3 spring-web-4.3.7.RELEASE.jar Transitive 2.1.0.RELEASE
CVE-2025-49128 Medium 4.0 jackson-core-2.9.10.jar Transitive N/A*
CVE-2025-22233 Low 3.1 spring-context-4.3.7.RELEASE.jar Transitive N/A*
CVE-2024-38820 Low 3.1 detected in multiple dependencies Transitive N/A*
CVE-2026-22735 Low 2.6 spring-web-4.3.7.RELEASE.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (25 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-22965

Vulnerable Library - spring-beans-4.3.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar
      • spring-aop-4.3.7.RELEASE.jar
        • spring-beans-4.3.7.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.1.RELEASE

CVE-2017-8045

Vulnerable Library - spring-amqp-1.7.1.RELEASE.jar

Spring AMQP Core

Library home page: https://projects.spring.io/spring-amqp

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-amqp-1.7.1.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

Publish Date: 2017-11-27

URL: CVE-2017-8045

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Release Date: 2017-09-06

Fix Resolution: Replace or update the following files: WhiteListDeserializingMessageConverter.java, MessageTests.java, amqp.adoc, Message.java

CVE-2016-1000027

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution (org.springframework:spring-web): 4.3.26.RELEASE

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.0.3.RELEASE

CVE-2020-36184

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36184

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36182

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36182

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36181

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36180

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36180

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36179

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36179

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2024-22262

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution (org.springframework:spring-web): 5.3.34

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE

CVE-2024-22259

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution (org.springframework:spring-web): 5.3.33

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE

CVE-2024-22243

Vulnerable Library - spring-web-4.3.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • spring-web-4.3.7.RELEASE.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution (org.springframework:spring-web): 5.3.32

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE

CVE-2021-20190

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Publish Date: 2021-01-19

URL: CVE-2021-20190

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.7

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36189

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36189

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36188

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36188

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36187

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36187

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36186

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36186

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36185

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36185

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-36183

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: 2021-01-06

URL: CVE-2020-36183

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-35728

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Publish Date: 2020-12-27

URL: CVE-2020-35728

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35728

Release Date: 2020-12-27

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-35491

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2020-12-17

URL: CVE-2020-35491

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-35490

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2020-12-17

URL: CVE-2020-35490

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-24750

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Publish Date: 2020-09-17

URL: CVE-2020-24750

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616

Release Date: 2020-09-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-24616

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Publish Date: 2020-08-25

URL: CVE-2020-24616

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616

Release Date: 2020-08-25

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-14195

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Publish Date: 2020-06-16

URL: CVE-2020-14195

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195

Release Date: 2020-06-16

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

CVE-2020-14062

Vulnerable Library - jackson-databind-2.9.10.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Dependency Hierarchy:

  • spring-rabbit-1.7.1.RELEASE.jar (Root Library)
    • http-client-1.1.1.RELEASE.jar
      • jackson-databind-2.9.10.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Publish Date: 2020-06-14

URL: CVE-2020-14062

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062

Release Date: 2020-06-14

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.7.2.RELEASE

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions