Blackduck: Automated PR: Update com.fasterxml.jackson.core:jackson-databind:2.9.8 to 2.18.3#10
Open
github-actions[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerabilities associated with com.fasterxml.jackson.core:jackson-databind:2.9.8
BDSA-2019-1881 (HIGH): An improper privilege management vulnerability has been discovered in FasterXML jackson-databind. An attacker could exploit this vulnerability through an external JSON endpoint to target a specific class from executing malicious polymorphic deserialization which could lead to arbitrary code execution against the system.
BDSA-2019-2355 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to insufficient blacklisting of dangerous classes when used along with Ehcache. Ehcache is an open source, standards-based cache that boosts performance. An attacker could leverage a dangerous transaction manager class to deserialize untrusted input and execute arbitrary code on the underlying host.
BDSA-2019-2369 (HIGH): jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this Default Typing must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2019-2978 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
BDSA-2019-2980 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
BDSA-2019-3135 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. An attacker must also be able to find a RMI service endpoint to access.
BDSA-2019-3136 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. The target service must also have the
commons-dbcpJAR file in the class path, and the attacker must also be able to find a RMI service endpoint to access.BDSA-2019-3151 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. The target service must also have the
ehcacheJAR file in the class path, and the attacker must also be able to find a RMI service endpoint to access.BDSA-2019-3215 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with the
apache-log4j-extrasgadget. An attacker could exploit this vulnerability by providing a malicious Java Naming and Directory Interface (JNDI) service to a vulnerable application which has this gadget on the classpath and has default typing enabled.BDSA-2019-4111 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with
net.sf.ehcachegadgets. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.BDSA-2019-4213 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this Default Typing must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2019-4214 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this Default Typing must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2019-4338 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. The target service must also have the
bus-proxyJAR file in the class path, and the attacker must also be able to find a RMI service endpoint to access.BDSA-2020-0252 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to an exposed JSON end path.
BDSA-2020-0354 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application.
BDSA-2020-0361 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. The target service must also have the
ibatis-sqlmapJAR file in the class path, and the attacker must also be able to find a RMI service endpoint to access.BDSA-2020-0363 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application.
BDSA-2020-0486 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0487 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0553 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest. The target service must also have the
javax.swingJAR file in the class path, and the attacker must also be able to find a RMI service endpoint to access.BDSA-2020-0582 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by "gadgets" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0583 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0584 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a "gadget" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0689 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by "gadgets" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-0690 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by "gadgets" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-1415 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2020-1416 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2020-1417 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2020-1428 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2020-2193 (HIGH): FasterXML jackson-databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by a gadget used by the application. A remote attacker could execute arbitrary commands on the underlying system by submitting crafted JSON messages to the application. It should be noted that this 'Default Typing' must be enabled for an externally exposed JSON end-path in order for this vulnerability to manifest.
BDSA-2020-2643 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to how polymorphic data types are handled by "gadgets" used by the application. A remote attacker could execute arbitrary commands on the underlying system. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-2965 (HIGH): Jackson Databind is vulnerable to XML external entities (XXE) due to insecure entity expansion in the
DOMDeserializercomponent. An attacker could exploit this vulnerability via a crafted request in order to execute an XML external entities (XXE) attack against the application.BDSA-2020-3826 (HIGH): FasterXML Jackson Databind contains a Java deserialization vulnerability. Under certain conditions, this allows a remote attacker to achieve remote code execution. Systems using Jackson Databind to deserialize untrusted data may be vulnerable.
BDSA-2020-3827 (HIGH): FasterXML Jackson Databind contains a Java deserialization vulnerability. Under certain conditions, this allows a remote attacker to achieve remote code execution. Systems using Jackson Databind to deserialize untrusted data may be vulnerable.
BDSA-2020-3902 (HIGH): When Default Typing is enabled, jackson-databind is vulnerable to remote code execution (RCE) through the provision of a maliciously crafted JSON file that exploits how polymorphic data types are handled.
BDSA-2020-4020 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with
PerUserPoolDataSourcegadgets. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.BDSA-2020-4021 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with the
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSourcegadget.An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application using this gadget on the classpath with default typing enabled.
BDSA-2020-4022 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with
SharedPoolDataSourcegadgets. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.BDSA-2020-4023 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with gadgets in the
tomcat:naming-factory-dbcplibrary. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has the affected gadget on the classpath and default typing enabled.BDSA-2020-4024 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with gadgets in the
tomcat:naming-factory-dbcplibrary. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has the affected gadget on the classpath and default typing enabled.BDSA-2020-4026 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with the
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourcegadget.An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application using this gadget on the classpath with default typing enabled.
BDSA-2020-4090 (HIGH): Jackson Databind FasterXML contains a deserialization vulnerability. Under certain conditions, this allows a remote attacker to achieve remote code execution. Systems using Jackson Databind to deserialize untrusted data may be vulnerable. Default typing must be enabled in order for this vulnerability to manifest.
Version 2.10.0 of Databind introduced functionality which allows developers to limit subtypes allowed by default typing using a whitelist.
BDSA-2020-4813 (HIGH): Jackson Databind is vulnerable to remote code execution (RCE) due to the improper handling of polymorphic deserialization with gadgets in the
ignite-jtaclass. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has the affected gadget on the classpath and default typing is enabled.BDSA-2021-0012 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with
DriverAdapterCPDSgadgets. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.BDSA-2021-0013 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with a
Xalangadget derivative. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.BDSA-2021-0014 (HIGH): FasterXML Jackson-Databind contains a remote code execution (RCE) vulnerability because it does not block access to a gadget class. This could allow an attacker to exploit a potential mishandling of polymorphic deserialization by supplying a crafted input.
BDSA-2021-0015 (HIGH): FasterXML Jackson-Databind contains a remote code execution (RCE) vulnerability because it does not block access to a gadget class. This could allow an attacker to exploit a potential mishandling of polymorphic deserialization by supplying a crafted input.
BDSA-2021-0016 (HIGH): Jackson-Databind is vulnerable to remote code execution (RCE) due to improper handling of polymorphic deserialization with
DriverAdapterCPDSgadgets. An attacker could exploit this vulnerability by sending a maliciously crafted JSON message to a vulnerable application which has one of these gadgets on the classpath and default typing enabled.Click Here To See More Details On Server