gandrade / etag-for-scim-server Goto Github PK

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - logback-classic-1.1.11.jar

logback-classic module

Library home page: http://logback.qos.ch/logback-classic

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.11/ccedfbacef4a6515d2983e3f89ed753d5d4fb665/logback-classic-1.1.11.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.21.RELEASE.jar
    • spring-boot-starter-logging-1.5.21.RELEASE.jar
      • ❌ logback-classic-1.1.11.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5929

Release Date: 2017-03-13

Fix Resolution: 1.2.0

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2341

Release Date: 2019-06-19

Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Vulnerable Library - tomcat-embed-core-8.5.40.jar

Core Tomcat implementation

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.40/c2252334e4de59419627a42db1196171ee50049a/tomcat-embed-core-8.5.40.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.40/c2252334e4de59419627a42db1196171ee50049a/tomcat-embed-core-8.5.40.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.21.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.40.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-06-21

URL: CVE-2019-10072

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41

Release Date: 2019-06-21

Fix Resolution: 8.5.41,9.0.20

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-08-12

Fix Resolution: 2.9.9.1

Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/etag-for-scim-server/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.11.3/844df5aba5a1a56e00905b165b12bb34116ee858/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.21.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: bc8484aa045f9fe36710c65496507f82ab66e720

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10