snowdensb / nibrs Goto Github PK
View Code? Open in Web Editor NEWThis project forked from mark43/nibrs
Source code for SEARCH's National Incident-Based Reporting System (NIBRS) toolkit
License: Apache License 2.0
nibrs's People
Contributors
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
nibrs's Issues
CVE-2016-1000341 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000341 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-14042 (Medium) detected in bootstrap-3.3.7.jar - autoclosed
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.jar
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bootstrap-3.3.7.jar
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-4055 (Medium) detected in moment-2.8.4.min.js - autoclosed
CVE-2016-4055 - Medium Severity Vulnerability
Vulnerable Library - moment-2.8.4.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js
Path to dependency file: /web/nibrs-admin/src/main/resources/templates/fragments/general.html
Path to vulnerable library: /web/nibrs-admin/src/main/resources/templates/fragments/general.html
Dependency Hierarchy:
- ❌ moment-2.8.4.min.js (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-87vv-r9j6-g5qv
Release Date: 2017-01-23
Fix Resolution: moment - 2.11.2
CVE-2020-11111 (High) detected in multiple libraries - autoclosed
CVE-2020-11111 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Publish Date: 2020-03-31
URL: CVE-2020-11111
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12415 (Medium) detected in poi-ooxml-3.15.jar, poi-ooxml-3.17.jar - autoclosed
CVE-2019-12415 - Medium Severity Vulnerability
Vulnerable Libraries - poi-ooxml-3.15.jar, poi-ooxml-3.17.jar
poi-ooxml-3.15.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /tools/nibrs-summary-report/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/poi/poi-ooxml/3.15/poi-ooxml-3.15.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.15.jar (Vulnerable Library)
poi-ooxml-3.17.jar
Apache POI - Java API To Access Microsoft Format Files
Path to dependency file: /tools/nibrs-flatfile/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/canner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/poi-ooxml-3.17.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.17.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36181 (High) detected in multiple libraries - autoclosed
CVE-2020-36181 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-06
URL: CVE-2020-36181
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-11796 (High) detected in tika-core-1.18.jar - autoclosed
CVE-2018-11796 - High Severity Vulnerability
Vulnerable Library - tika-core-1.18.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Path to dependency file: /tools/nibrs-validation/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/canner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/canner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-core/1.18/tika-core-1.18.jar
Dependency Hierarchy:
- ❌ tika-core-1.18.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Publish Date: 2018-10-09
URL: CVE-2018-11796
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8017
Release Date: 2018-10-09
Fix Resolution: 1.19.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36186 (High) detected in multiple libraries - autoclosed
CVE-2020-36186 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36186
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-11113 (High) detected in multiple libraries - autoclosed
CVE-2020-11113 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Publish Date: 2020-03-31
URL: CVE-2020-11113
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-14040 (Medium) detected in bootstrap-3.3.7.jar - autoclosed
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.jar
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bootstrap-3.3.7.jar
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000346 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000346 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000352 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000352 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000352
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-16335 (Critical) detected in multiple libraries - autoclosed
CVE-2019-16335 - Critical Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.19
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12400 (Medium) detected in xmlsec-2.1.2.jar - autoclosed
CVE-2019-12400 - Medium Severity Vulnerability
Vulnerable Library - xmlsec-2.1.2.jar
Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Library home page: http://santuario.apache.org/
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.2/xmlsec-2.1.2.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/xmlsec-2.1.2.jar
Dependency Hierarchy:
- ❌ xmlsec-2.1.2.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
Publish Date: 2019-08-23
URL: CVE-2019-12400
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution: 2.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-14720 (Medium) detected in multiple libraries - autoclosed
CVE-2018-14720 - Medium Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.7
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.20
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9488 (Low) detected in multiple libraries - autoclosed
CVE-2020-9488 - Low Severity Vulnerability
Vulnerable Libraries - log4j-core-2.7.jar, log4j-core-2.11.2.jar, log4j-core-2.6.jar, log4j-core-2.10.0.jar
log4j-core-2.7.jar
The Apache Log4j Implementation
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/log4j-core-2.7.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar
Dependency Hierarchy:
- ❌ log4j-core-2.7.jar (Vulnerable Library)
log4j-core-2.11.2.jar
The Apache Log4j Implementation
Dependency Hierarchy:
- nibrs-common-0.0.1-SNAPSHOT.jar (Root Library)
- ❌ log4j-core-2.11.2.jar (Vulnerable Library)
log4j-core-2.6.jar
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.6/log4j-core-2.6.jar,/canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.6/log4j-core-2.6.jar,/canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.6/log4j-core-2.6.jar
Dependency Hierarchy:
- ❌ log4j-core-2.6.jar (Vulnerable Library)
log4j-core-2.10.0.jar
The Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/log4j-core-2.10.0.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.10.0/log4j-core-2.10.0.jar
Dependency Hierarchy:
- ❌ log4j-core-2.10.0.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: 2.12.2
- Check this box to open an automated fix PR
CVE-2018-1114 (Medium) detected in undertow-core-1.4.20.Final.jar - autoclosed
CVE-2018-1114 - Medium Severity Vulnerability
Vulnerable Library - undertow-core-1.4.20.Final.jar
Undertow
Library home page: http://www.jboss.org/
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/undertow-core-1.4.20.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/1.4.20.Final/undertow-core-1.4.20.Final.jar
Dependency Hierarchy:
- ❌ undertow-core-1.4.20.Final.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
Publish Date: 2018-09-11
URL: CVE-2018-1114
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-gjjx-gqm4-wcgm
Release Date: 2018-09-11
Fix Resolution: 1.4.25.Final
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000340 (High) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000340 - High Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Publish Date: 2018-06-04
URL: CVE-2016-1000340
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000340
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-14060 (High) detected in multiple libraries - autoclosed
CVE-2020-14060 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Publish Date: 2020-06-14
URL: CVE-2020-14060
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060
Release Date: 2020-06-14
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-14061 (High) detected in multiple libraries - autoclosed
CVE-2020-14061 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Publish Date: 2020-06-14
URL: CVE-2020-14061
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061
Release Date: 2020-06-14
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36187 (High) detected in multiple libraries - autoclosed
CVE-2020-36187 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36187
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-11112 (High) detected in multiple libraries - autoclosed
CVE-2020-11112 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Publish Date: 2020-03-31
URL: CVE-2020-11112
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12086 (High) detected in multiple libraries - autoclosed
CVE-2019-12086 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.4
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.19
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000345 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000345 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36183 (High) detected in multiple libraries - autoclosed
CVE-2020-36183 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Publish Date: 2021-01-07
URL: CVE-2020-36183
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-27906 (Medium) detected in pdfbox-2.0.9.jar, pdfbox-2.0.10.jar - autoclosed
CVE-2021-27906 - Medium Severity Vulnerability
Vulnerable Libraries - pdfbox-2.0.9.jar, pdfbox-2.0.10.jar
pdfbox-2.0.9.jar
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/pdfbox-2.0.9.jar
Dependency Hierarchy:
- ❌ pdfbox-2.0.9.jar (Vulnerable Library)
pdfbox-2.0.10.jar
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /tools/nibrs-route/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.10/pdfbox-2.0.10.jar,/tools/nibrs-route/target/nibrs-route-1.0.0/WEB-INF/lib/pdfbox-2.0.10.jar
Dependency Hierarchy:
- ❌ pdfbox-2.0.10.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Publish Date: 2021-03-19
URL: CVE-2021-27906
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906
Release Date: 2021-03-19
Fix Resolution: 2.0.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-17531 (Critical) detected in multiple libraries - autoclosed
CVE-2019-17531 - Critical Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8840 (Critical) detected in multiple libraries - autoclosed
CVE-2020-8840 - Critical Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.3
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-15250 (Medium) detected in junit-4.10.jar, junit-4.12.jar - autoclosed
CVE-2020-15250 - Medium Severity Vulnerability
Vulnerable Libraries - junit-4.10.jar, junit-4.12.jar
junit-4.10.jar
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /tools/nibrs-flatfile/pom.xml
Path to vulnerable library: /canner/.m2/repository/junit/junit/4.10/junit-4.10.jar,/canner/.m2/repository/junit/junit/4.10/junit-4.10.jar,/home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar
Dependency Hierarchy:
- ❌ junit-4.10.jar (Vulnerable Library)
junit-4.12.jar
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to dependency file: /tools/nibrs-validation/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/home/wss-scanner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/home/wss-scanner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/home/wss-scanner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/home/wss-scanner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/junit-4.12.jar,/canner/.m2/repository/junit/junit/4.12/junit-4.12.jar,/canner/.m2/repository/junit/junit/4.12/junit-4.12.jar
Dependency Hierarchy:
- ❌ junit-4.12.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36182 (High) detected in multiple libraries - autoclosed
CVE-2020-36182 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.5.jar
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36182
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-14062 (High) detected in multiple libraries - autoclosed
CVE-2020-14062 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Publish Date: 2020-06-14
URL: CVE-2020-14062
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062
Release Date: 2020-06-14
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.19
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36188 (High) detected in multiple libraries - autoclosed
CVE-2020-36188 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36188
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-14721 (Medium) detected in multiple libraries - autoclosed
CVE-2018-14721 - Medium Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.7
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.20
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-26939 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2020-26939 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Publish Date: 2020-11-02
URL: CVE-2020-26939
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-02
Fix Resolution: 1.61
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2015-6644 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2015-6644 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
Publish Date: 2016-01-06
URL: CVE-2015-6644
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6644
Release Date: 2016-01-06
Fix Resolution: 1.55
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-11797 (Medium) detected in pdfbox-2.0.10.jar, pdfbox-2.0.9.jar - autoclosed
CVE-2018-11797 - Medium Severity Vulnerability
Vulnerable Libraries - pdfbox-2.0.10.jar, pdfbox-2.0.9.jar
pdfbox-2.0.10.jar
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /tools/nibrs-route/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.10/pdfbox-2.0.10.jar,/tools/nibrs-route/target/nibrs-route-1.0.0/WEB-INF/lib/pdfbox-2.0.10.jar
Dependency Hierarchy:
- ❌ pdfbox-2.0.10.jar (Vulnerable Library)
pdfbox-2.0.9.jar
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.9/pdfbox-2.0.9.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/pdfbox-2.0.9.jar
Dependency Hierarchy:
- ❌ pdfbox-2.0.9.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
Publish Date: 2018-10-05
URL: CVE-2018-11797
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/6fvth3t2pmmxzx2pd7gt143sthltrfg5
Release Date: 2018-10-05
Fix Resolution: 2.0.12
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9484 (High) detected in multiple libraries - autoclosed
CVE-2020-9484 - High Severity Vulnerability
Vulnerable Libraries - tomcat-embed-core-8.5.34.jar, tomcat-embed-core-9.0.19.jar, tomcat-embed-core-8.5.20.jar
tomcat-embed-core-8.5.34.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /tools/nibrs-summary-report/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar,/tools/nibrs-route/target/nibrs-route-1.0.0/WEB-INF/lib/tomcat-embed-core-8.5.34.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
Dependency Hierarchy:
- ❌ tomcat-embed-core-8.5.34.jar (Vulnerable Library)
tomcat-embed-core-9.0.19.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.19/tomcat-embed-core-9.0.19.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.5.RELEASE.jar
- ❌ tomcat-embed-core-9.0.19.jar (Vulnerable Library)
- spring-boot-starter-tomcat-2.1.5.RELEASE.jar
tomcat-embed-core-8.5.20.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/tomcat-embed-core-8.5.20.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.20/tomcat-embed-core-8.5.20.jar
Dependency Hierarchy:
- ❌ tomcat-embed-core-8.5.20.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Publish Date: 2020-05-20
URL: CVE-2020-9484
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
Release Date: 2020-05-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.55
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12406 (Medium) detected in multiple libraries - autoclosed
CVE-2019-12406 - Medium Severity Vulnerability
Vulnerable Libraries - cxf-core-3.0.16.jar, cxf-core-3.2.1.jar, cxf-core-3.2.5.jar
cxf-core-3.0.16.jar
Apache CXF Core
Library home page: http://cxf.apache.org
Path to dependency file: /tools/nibrs-staging-data-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar
Dependency Hierarchy:
- ❌ cxf-core-3.0.16.jar (Vulnerable Library)
cxf-core-3.2.1.jar
Apache CXF Core
Library home page: http://cxf.apache.org
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/cxf-core-3.2.1.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.2.1/cxf-core-3.2.1.jar
Dependency Hierarchy:
- ❌ cxf-core-3.2.1.jar (Vulnerable Library)
cxf-core-3.2.5.jar
Apache CXF Core
Library home page: http://cxf.apache.org
Path to dependency file: /tools/nibrs-route/pom.xml
Path to vulnerable library: /tools/nibrs-route/target/nibrs-route-1.0.0/WEB-INF/lib/cxf-core-3.2.5.jar,/home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.2.5/cxf-core-3.2.5.jar
Dependency Hierarchy:
- ❌ cxf-core-3.2.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Publish Date: 2019-11-06
URL: CVE-2019-12406
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12406
Release Date: 2019-11-06
Fix Resolution: 3.2.11
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-10202 (Critical) detected in multiple libraries - autoclosed
CVE-2019-10202 - Critical Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.22
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-5968 (High) detected in jackson-databind-2.8.10.jar - autoclosed
CVE-2018-5968 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution: 2.8.11.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000344 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000344 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12418 (High) detected in tomcat-embed-core-9.0.19.jar - autoclosed
CVE-2019-12418 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-9.0.19.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.19/tomcat-embed-core-9.0.19.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.5.RELEASE.jar
- ❌ tomcat-embed-core-9.0.19.jar (Vulnerable Library)
- spring-boot-starter-tomcat-2.1.5.RELEASE.jar
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
Publish Date: 2019-12-23
URL: CVE-2019-12418
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418
Release Date: 2019-12-23
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.29
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.11.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000342 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000342 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9489 (Medium) detected in tika-parsers-1.18.jar - autoclosed
CVE-2020-9489 - Medium Severity Vulnerability
Vulnerable Library - tika-parsers-1.18.jar
Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/canner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar,/canner/.m2/repository/org/apache/tika/tika-parsers/1.18/tika-parsers-1.18.jar
Dependency Hierarchy:
- ❌ tika-parsers-1.18.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
Publish Date: 2020-04-27
URL: CVE-2020-9489
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9489
Release Date: 2020-04-27
Fix Resolution: 1.24.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12402 (High) detected in commons-compress-1.16.1.jar - autoclosed
CVE-2019-12402 - High Severity Vulnerability
Vulnerable Library - commons-compress-1.16.1.jar
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /tools/nibrs-validation/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar
Dependency Hierarchy:
- ❌ commons-compress-1.16.1.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Publish Date: 2019-08-30
URL: CVE-2019-12402
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
Release Date: 2019-08-30
Fix Resolution: 1.19
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36185 (High) detected in multiple libraries - autoclosed
CVE-2020-36185 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar, jackson-databind-2.8.10.jar
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36185
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000343 (Medium) detected in bcprov-jdk15on-1.54.jar - autoclosed
CVE-2016-1000343 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk15on-1.54.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tools/nibrs-staging-data/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Dependency Hierarchy:
- ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343
Release Date: 2018-06-04
Fix Resolution: 1.56
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36184 (High) detected in multiple libraries - autoclosed
CVE-2020-36184 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.8.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36184
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36180 (High) detected in multiple libraries - autoclosed
CVE-2020-36180 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36180
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-36189 (High) detected in multiple libraries - autoclosed
CVE-2020-36189 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.5.jar
jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-fbi-service/pom.xml
Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /web/nibrs-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
- ❌ jackson-databind-2.9.6.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-summary-report-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
jackson-databind-2.9.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /tools/nibrs-validate-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar
Dependency Hierarchy:
- tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)
Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36189
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-06
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.8
Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23
⛑️ Automatic Remediation will be attempted for this issue.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.