etag-for-scim-server's Introduction
etag-for-scim-server's People
etag-for-scim-server's Issues
CVE-2019-12086 (High) detected in jackson-databind-2.8.11.3.jar
CVE-2019-12086 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
Step up your Open Source Security Game with WhiteSource here
CVE-2017-5929 (High) detected in logback-classic-1.1.11.jar
CVE-2017-5929 - High Severity Vulnerability
Vulnerable Library - logback-classic-1.1.11.jar
logback-classic module
Library home page: http://logback.qos.ch/logback-classic
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.11/ccedfbacef4a6515d2983e3f89ed753d5d4fb665/logback-classic-1.1.11.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- spring-boot-starter-1.5.21.RELEASE.jar
- spring-boot-starter-logging-1.5.21.RELEASE.jar
- โ logback-classic-1.1.11.jar (Vulnerable Library)
- spring-boot-starter-logging-1.5.21.RELEASE.jar
- spring-boot-starter-1.5.21.RELEASE.jar
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: 2017-03-13
URL: CVE-2017-5929
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Release Date: 2017-03-13
Fix Resolution: 1.2.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-14379 (High) detected in jackson-databind-2.8.11.3.jar
CVE-2019-14379 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
CVE-2019-12814 (Medium) detected in jackson-databind-2.8.11.3.jar
CVE-2019-12814 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2341
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-16335 (Medium) detected in jackson-databind-2.8.11.3.jar
CVE-2019-16335 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Suggested Fix
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2019-09-15
Fix Resolution: 2.9.10
Step up your Open Source Security Game with WhiteSource here
CVE-2019-14439 (High) detected in jackson-databind-2.8.11.3.jar
CVE-2019-14439 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
CVE-2019-10072 (High) detected in tomcat-embed-core-8.5.40.jar
CVE-2019-10072 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.40.jar
Core Tomcat implementation
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.40/c2252334e4de59419627a42db1196171ee50049a/tomcat-embed-core-8.5.40.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.40/c2252334e4de59419627a42db1196171ee50049a/tomcat-embed-core-8.5.40.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.21.RELEASE.jar
- โ tomcat-embed-core-8.5.40.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.21.RELEASE.jar
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-06-21
URL: CVE-2019-10072
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
Release Date: 2019-06-21
Fix Resolution: 8.5.41,9.0.20
Step up your Open Source Security Game with WhiteSource here
CVE-2019-12384 (Medium) detected in jackson-databind-2.8.11.3.jar
CVE-2019-12384 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Publish Date: 2019-06-24
URL: CVE-2019-12384
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
Release Date: 2019-08-12
Fix Resolution: 2.9.9.1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-14540 (Medium) detected in jackson-databind-2.8.11.3.jar
CVE-2019-14540 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.11.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
- โ jackson-databind-2.8.11.3.jar (Vulnerable Library)
Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Suggested Fix
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2019-09-15
Fix Resolution: 2.9.10
Step up your Open Source Security Game with WhiteSource here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.