spring-boot-starter-web-1.5.1.RELEASE.jar: 111 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com[bot]]

Vulnerable Library - spring-boot-starter-web-1.5.1.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**	Reachability
CVE-2022-22965	Critical	9.8	High	97.5%	spring-beans-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2022-1471	Critical	9.8	Not Defined	3.6%	snakeyaml-1.21.jar	Transitive	3.2.0	✅	Reachable
CVE-2020-9548	Critical	9.8	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-9547	Critical	9.8	Not Defined	0.70000005%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-9546	Critical	9.8	Not Defined	0.70000005%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-8840	Critical	9.8	Not Defined	3.0%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-20330	Critical	9.8	Not Defined	0.6%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-17531	Critical	9.8	Not Defined	0.70000005%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-17267	Critical	9.8	Not Defined	1.2%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16943	Critical	9.8	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16942	Critical	9.8	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16335	Critical	9.8	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14893	Critical	9.8	Not Defined	2.5%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14892	Critical	9.8	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14540	Critical	9.8	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14379	Critical	9.8	Not Defined	1.0%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-10202	Critical	9.8	Not Defined	1.5%	jackson-databind-2.8.6.jar	Transitive	2.1.6.RELEASE	✅	Reachable
CVE-2018-7489	Critical	9.8	Not Defined	93.6%	jackson-databind-2.8.6.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2018-19362	Critical	9.8	Not Defined	0.6%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-19361	Critical	9.8	Not Defined	0.6%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-19360	Critical	9.8	Not Defined	0.6%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-14720	Critical	9.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-14719	Critical	9.8	Not Defined	1.0%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-14718	Critical	9.8	Not Defined	3.7%	jackson-databind-2.8.6.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-11307	Critical	9.8	Not Defined	1.3000001%	jackson-databind-2.8.6.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2017-7525	Critical	9.8	Not Defined	57.1%	jackson-databind-2.8.6.jar	Transitive	1.5.5.RELEASE	✅	Reachable
CVE-2017-17485	Critical	9.8	Not Defined	14.0%	jackson-databind-2.8.6.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2017-15095	Critical	9.8	Not Defined	4.8%	jackson-databind-2.8.6.jar	Transitive	1.5.7.RELEASE	✅	Reachable
CVE-2020-11113	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11112	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11111	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10969	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10968	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10673	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10672	High	8.8	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2024-22262	High	8.1	Not Defined	0.0%	spring-web-4.3.6.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-22259	High	8.1	Not Defined	0.1%	spring-web-4.3.6.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-22243	High	8.1	Not Defined	0.0%	spring-web-4.3.6.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2021-20190	High	8.1	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36189	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36188	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36187	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36186	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36185	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36184	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36183	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36182	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36181	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36180	High	8.1	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36179	High	8.1	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-24750	High	8.1	Not Defined	0.5%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-24616	High	8.1	Not Defined	1.2%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14195	High	8.1	Not Defined	3.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14062	High	8.1	Not Defined	5.2999997%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14061	High	8.1	Not Defined	3.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14060	High	8.1	Not Defined	10.1%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-11620	High	8.1	Not Defined	4.4%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11619	High	8.1	Not Defined	5.0%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2018-5968	High	8.1	Not Defined	9.3%	jackson-databind-2.8.6.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2024-24549	High	7.5	Not Defined	0.0%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2024-23672	High	7.5	Not Defined	0.0%	tomcat-embed-websocket-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-6378	High	7.5	Not Defined	0.0%	logback-classic-1.1.9.jar	Transitive	3.2.1	✅	Reachable
CVE-2023-46589	High	7.5	Not Defined	0.5%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-44487	High	7.5	High	70.8%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-28709	High	7.5	Not Defined	0.70000005%	tomcat-embed-core-8.5.85.jar	Transitive	1.5.2.RELEASE	✅	Reachable
CVE-2022-42003	High	7.5	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.6.0	✅	Reachable
CVE-2022-25857	High	7.5	Not Defined	0.2%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2020-36518	High	7.5	Not Defined	0.2%	jackson-databind-2.8.6.jar	Transitive	2.5.15	✅	Reachable
CVE-2019-14439	High	7.5	Not Defined	0.2%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-12086	High	7.5	Not Defined	0.4%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-15756	High	7.5	Not Defined	0.4%	spring-web-4.3.6.RELEASE.jar	Transitive	1.5.17.RELEASE	✅	Reachable
CVE-2018-1272	High	7.5	Not Defined	0.2%	spring-core-4.3.6.RELEASE.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2018-12023	High	7.5	Not Defined	0.9%	jackson-databind-2.8.6.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2018-12022	High	7.5	Not Defined	0.8%	jackson-databind-2.8.6.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2018-11040	High	7.5	Not Defined	0.3%	detected in multiple dependencies	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2017-18640	High	7.5	Not Defined	1.9%	snakeyaml-1.21.jar	Transitive	2.3.0.RELEASE	✅	Reachable
CVE-2017-7536	High	7.0	Not Defined	0.1%	hibernate-validator-5.3.4.Final.jar	Transitive	1.5.9.RELEASE	✅	Reachable
CVE-2021-42550	Medium	6.6	Not Defined	1.6%	detected in multiple dependencies	Transitive	2.5.8	✅	Reachable
CVE-2023-20863	Medium	6.5	Not Defined	0.3%	spring-expression-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2023-20861	Medium	6.5	Not Defined	0.1%	spring-expression-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2022-38752	Medium	6.5	Not Defined	0.3%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38751	Medium	6.5	Not Defined	0.1%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38749	Medium	6.5	Not Defined	0.1%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-22950	Medium	6.5	Not Defined	0.1%	spring-expression-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2020-5421	Medium	6.5	Not Defined	15.299999%	spring-web-4.3.6.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2023-41080	Medium	6.1	Not Defined	0.2%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-1932	Medium	6.1	Not Defined		hibernate-validator-5.3.4.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2023-42794	Medium	5.9	Not Defined	0.0%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2019-12814	Medium	5.9	Not Defined	1.5%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-12384	Medium	5.9	Not Defined	53.3%	jackson-databind-2.8.6.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-1271	Medium	5.9	Not Defined	0.4%	spring-webmvc-4.3.6.RELEASE.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2022-41854	Medium	5.8	Not Defined	0.70000005%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38750	Medium	5.5	Not Defined	0.1%	snakeyaml-1.21.jar	Transitive	3.0.0	✅	Reachable
CVE-2023-45648	Medium	5.3	Not Defined	0.2%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-42795	Medium	5.3	Not Defined	1.0%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2022-22970	Medium	5.3	Not Defined	0.4%	detected in multiple dependencies	Transitive	2.4.0	✅	Reachable
CVE-2020-10693	Medium	5.3	Not Defined	0.1%	hibernate-validator-5.3.4.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-1199	Medium	5.3	Not Defined	0.2%	spring-core-4.3.6.RELEASE.jar	Transitive	1.5.10.RELEASE	✅	Reachable
CVE-2021-22096	Medium	4.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	2.4.0	✅	Reachable
CVE-2017-5929	Critical	9.8	Not Defined	1.7%	detected in multiple dependencies	Transitive	1.5.2.RELEASE	✅	Unreachable
CVE-2016-1000027	Critical	9.8	Not Defined	2.4%	spring-web-4.3.6.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2020-10650	High	8.1	Not Defined	0.5%	jackson-databind-2.8.6.jar	Transitive	2.2.0.RELEASE	✅	Unreachable
CVE-2022-27772	High	7.8	Not Defined	0.0%	spring-boot-1.5.1.RELEASE.jar	Transitive	2.2.11.RELEASE	✅	Unreachable
CVE-2023-6481	High	7.5	Not Defined	0.0%	logback-core-1.1.9.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-20883	High	7.5	Not Defined	0.1%	spring-boot-autoconfigure-1.5.1.RELEASE.jar	Transitive	2.5.15	✅	Unreachable
CVE-2022-42004	High	7.5	Not Defined	0.3%	jackson-databind-2.8.6.jar	Transitive	2.6.0	✅	Unreachable
CVE-2023-34055	Medium	6.5	Not Defined	0.0%	spring-boot-1.5.1.RELEASE.jar	Transitive	2.7.18	✅	Unreachable
CVE-2018-11039	Medium	5.9	Not Defined	0.3%	spring-web-4.3.6.RELEASE.jar	Transitive	1.5.14.RELEASE	✅	Unreachable
CVE-2022-22968	Medium	5.3	Not Defined	0.1%	spring-context-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Unreachable
CVE-2023-28708	Medium	4.3	Not Defined	0.1%	tomcat-embed-core-8.5.85.jar	Transitive	2.1.0.RELEASE	✅	Unreachable
CVE-2021-22060	Medium	4.3	Not Defined	0.1%	spring-core-4.3.6.RELEASE.jar	Transitive	2.4.0	✅	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (5 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-22965

### Vulnerable Library - spring-beans-4.3.6.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.6.RELEASE/spring-beans-4.3.6.RELEASE.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - spring-boot-starter-1.5.1.RELEASE.jar - spring-boot-1.5.1.RELEASE.jar - spring-context-4.3.6.RELEASE.jar - spring-aop-4.3.6.RELEASE.jar - :x: **spring-beans-4.3.6.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.config.HttpServiceConfig (Application) -> org.springframework.web.client.RestTemplate (Extension) -> org.springframework.web.client.HttpMessageConverterExtractor (Extension) -> ch.qos.logback.classic.gaffer.GafferConfigurator (Extension) ... -> org.springframework.beans.factory.groovy.GroovyBeanDefinitionReader (Extension) -> org.springframework.context.support.AbstractApplicationContext (Extension) -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component) ```

### Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

### Threat Assessment

Exploit Maturity: High

EPSS: 97.5%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-1471

### Vulnerable Library - snakeyaml-1.21.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.21/snakeyaml-1.21.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - spring-boot-starter-1.5.1.RELEASE.jar - :x: **snakeyaml-1.21.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Rce (Application) -> ❌ org.yaml.snakeyaml.constructor.Constructor (Vulnerable Component) ```

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.6%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-9548

### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2020-9547

### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-q93h-jc49-78gg

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2020-9546

### Vulnerable Library - jackson-databind-2.8.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar

Dependency Hierarchy: - spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library) - :x: **jackson-databind-2.8.6.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> org.springframework.web.servlet.view.json.MappingJackson2JsonView (Extension) -> com.fasterxml.jackson.databind.ObjectMapper (Extension) -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component) ```

### Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules