MendDemo-josh / java-sec-code

Java web common vulnerabilities and security code which is base on springboot and spring security
0 stars 0 forks source link

spring-boot-starter-web-1.5.1.RELEASE.jar: 116 vulnerabilities (highest severity is: 10.0) reachable #5

Open mend-for-github-com[bot] opened 11 months ago

mend-for-github-com[bot] commented 11 months ago
Vulnerable Library - spring-boot-starter-web-1.5.1.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible** Reachability
CVE-2018-14721 Critical 10.0 Not Defined 1.0% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2022-22965 Critical 9.8 High 97.5% spring-beans-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2020-9548 Critical 9.8 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-9547 Critical 9.8 Not Defined 0.70000005% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-9546 Critical 9.8 Not Defined 0.70000005% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-8840 Critical 9.8 Not Defined 3.0% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-20330 Critical 9.8 Not Defined 0.6% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-17531 Critical 9.8 Not Defined 1.0% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-17267 Critical 9.8 Not Defined 1.4000001% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-16943 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-16942 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-16335 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-14893 Critical 9.8 Not Defined 2.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-14892 Critical 9.8 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-14540 Critical 9.8 Not Defined 0.6% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-14379 Critical 9.8 Not Defined 1.0% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-10202 Critical 9.8 Not Defined 1.9% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-7489 Critical 9.8 Not Defined 93.7% jackson-databind-2.8.6.jar Transitive 1.5.11.RELEASE

Reachable

CVE-2018-19362 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-19361 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-19360 Critical 9.8 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-14720 Critical 9.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-14719 Critical 9.8 Not Defined 1.1% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-14718 Critical 9.8 Not Defined 5.7% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-11307 Critical 9.8 Not Defined 1.3000001% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2017-7525 Critical 9.8 Not Defined 49.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2017-17485 Critical 9.8 Not Defined 14.0% jackson-databind-2.8.6.jar Transitive 1.5.11.RELEASE

Reachable

CVE-2017-15095 Critical 9.8 Not Defined 2.6000001% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-11113 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-11112 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-11111 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-10969 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-10968 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-10673 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-10672 High 8.8 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2022-1471 High 8.3 Not Defined 2.1% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2024-22262 High 8.1 Not Defined 0.1% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2024-22259 High 8.1 Not Defined 0.1% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2024-22243 High 8.1 Not Defined 0.1% spring-web-4.3.6.RELEASE.jar Transitive 3.0.0

Reachable

CVE-2021-20190 High 8.1 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36189 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36188 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36187 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36186 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36185 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36184 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36183 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36182 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36181 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36180 High 8.1 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-36179 High 8.1 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-24750 High 8.1 Not Defined 0.70000005% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-24616 High 8.1 Not Defined 1.2% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-14195 High 8.1 Not Defined 3.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-14062 High 8.1 Not Defined 7.2% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-14061 High 8.1 Not Defined 4.7% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-14060 High 8.1 Not Defined 13.500001% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-11620 High 8.1 Not Defined 4.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2020-11619 High 8.1 Not Defined 5.0% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-5968 High 8.1 Not Defined 9.3% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2024-24549 High 7.5 Not Defined 0.0% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-46589 High 7.5 Not Defined 0.5% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-44487 High 7.5 High 83.8% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-28709 High 7.5 Not Defined 0.9% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2022-42003 High 7.5 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive 2.6.0

Reachable

CVE-2022-25857 High 7.5 Not Defined 0.5% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2020-36518 High 7.5 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-14439 High 7.5 Not Defined 0.2% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-12086 High 7.5 Not Defined 0.4% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-15756 High 7.5 Not Defined 0.4% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2018-1272 High 7.5 Not Defined 0.2% spring-core-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2018-12023 High 7.5 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-12022 High 7.5 Not Defined 0.5% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-11040 High 7.5 Not Defined 0.2% detected in multiple dependencies Transitive N/A*

Reachable

CVE-2017-18640 High 7.5 Not Defined 1.9% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2023-6378 High 7.1 Not Defined 0.1% logback-classic-1.1.9.jar Transitive N/A*

Reachable

CVE-2017-7536 High 7.0 Not Defined 0.1% hibernate-validator-5.3.4.Final.jar Transitive N/A*

Reachable

CVE-2021-42550 Medium 6.6 Not Defined 1.6% detected in multiple dependencies Transitive 2.5.8

Reachable

CVE-2023-20863 Medium 6.5 Not Defined 0.2% spring-expression-4.3.6.RELEASE.jar Transitive 2.4.0

Reachable

CVE-2023-20861 Medium 6.5 Not Defined 0.1% spring-expression-4.3.6.RELEASE.jar Transitive 2.4.0

Reachable

CVE-2022-38752 Medium 6.5 Not Defined 1.0% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2022-38751 Medium 6.5 Not Defined 0.2% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2022-38750 Medium 6.5 Not Defined 0.1% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2022-38749 Medium 6.5 Not Defined 0.2% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2022-22950 Medium 6.5 Not Defined 0.1% spring-expression-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2020-5421 Medium 6.5 Not Defined 13.0% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2024-23672 Medium 6.3 Not Defined 0.0% tomcat-embed-websocket-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-41080 Medium 6.1 Not Defined 0.70000005% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-1932 Medium 6.1 Not Defined 0.0% hibernate-validator-5.3.4.Final.jar Transitive N/A*

Reachable

CVE-2023-42794 Medium 5.9 Not Defined 0.1% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2019-12814 Medium 5.9 Not Defined 1.3000001% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2019-12384 Medium 5.9 Not Defined 57.6% jackson-databind-2.8.6.jar Transitive N/A*

Reachable

CVE-2018-1271 Medium 5.9 Not Defined 0.4% spring-webmvc-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2022-41854 Medium 5.8 Not Defined 0.6% snakeyaml-1.21.jar Transitive N/A*

Reachable

CVE-2023-45648 Medium 5.3 Not Defined 0.4% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2023-42795 Medium 5.3 Not Defined 1.7% tomcat-embed-core-8.5.85.jar Transitive N/A*

Reachable

CVE-2022-22970 Medium 5.3 Not Defined 0.4% detected in multiple dependencies Transitive N/A*

Reachable

CVE-2020-10693 Medium 5.3 Not Defined 0.1% hibernate-validator-5.3.4.Final.jar Transitive N/A*

Reachable

CVE-2018-1199 Medium 5.3 Not Defined 0.2% spring-core-4.3.6.RELEASE.jar Transitive N/A*

Reachable

CVE-2021-22096 Medium 4.3 Not Defined 0.1% detected in multiple dependencies Transitive N/A*

Reachable

CVE-2017-5929 Critical 9.8 Not Defined 1.7% detected in multiple dependencies Transitive N/A*

Unreachable

CVE-2016-1000027 Critical 9.8 Not Defined 2.4% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Unreachable

CVE-2020-10650 High 8.1 Not Defined 0.8% jackson-databind-2.8.6.jar Transitive N/A*

Unreachable

CVE-2022-27772 High 7.8 Not Defined 0.0% spring-boot-1.5.1.RELEASE.jar Transitive N/A*

Unreachable

CVE-2023-20883 High 7.5 Not Defined 0.1% spring-boot-autoconfigure-1.5.1.RELEASE.jar Transitive N/A*

Unreachable

CVE-2022-42004 High 7.5 Not Defined 0.3% jackson-databind-2.8.6.jar Transitive 2.6.0

Unreachable

CVE-2023-6481 High 7.1 Not Defined 0.1% logback-core-1.1.9.jar Transitive N/A*

Unreachable

CVE-2018-11039 Medium 5.9 Not Defined 0.2% spring-web-4.3.6.RELEASE.jar Transitive N/A*

Unreachable

CVE-2022-22968 Medium 5.3 Not Defined 0.1% spring-context-4.3.6.RELEASE.jar Transitive N/A*

Unreachable

CVE-2023-28708 Medium 4.3 Not Defined 0.1% tomcat-embed-core-8.5.85.jar Transitive N/A*

Unreachable

CVE-2021-22060 Medium 4.3 Not Defined 0.1% spring-core-4.3.6.RELEASE.jar Transitive N/A*

Unreachable

CVE-2024-38819 High 7.5 Not Defined spring-webmvc-4.3.6.RELEASE.jar Transitive N/A*
CVE-2024-38816 High 7.5 Not Defined 0.1% spring-webmvc-4.3.6.RELEASE.jar Transitive N/A*
CVE-2024-38809 Medium 5.3 Not Defined 0.0% spring-web-4.3.6.RELEASE.jar Transitive 3.0.0
CVE-2024-38808 Medium 4.3 Not Defined 0.0% spring-expression-4.3.6.RELEASE.jar Transitive 3.0.0
CVE-2024-38820 Low 3.1 Not Defined 0.1% spring-context-4.3.6.RELEASE.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (6 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-14721 ### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.6.7.3,2.7.9.5,2.8.11.3,2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

### CVSS 3 Score Details (10.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-01-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.5,2.8.11.3,2.9.7

CVE-2022-22965 ### Vulnerable Library - spring-beans-4.3.6.RELEASE.jar

Spring Beans

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.6.RELEASE/spring-beans-4.3.6.RELEASE.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - spring-boot-starter-1.5.1.RELEASE.jar - spring-boot-1.5.1.RELEASE.jar - spring-context-4.3.6.RELEASE.jar - spring-aop-4.3.6.RELEASE.jar - :x: **spring-beans-4.3.6.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.config.HttpServiceConfig (Application) -> org.springframework.boot.web.client.RestTemplateBuilder (Extension) -> org.springframework.beans.BeanUtils (Extension) -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component) ```

### Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

### Threat Assessment

Exploit Maturity: High

EPSS: 97.5%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

CVE-2020-9548 ### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2020-9547 ### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-q93h-jc49-78gg

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2020-9546 ### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-8840 ### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.0%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3


In order to enable automatic remediation for this issue, please create workflow rules

mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 3 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.