search

Tim-sandbox / petclinic-rest

Apache License 2.0
0 stars 0 forks source link

WS-2021-0616 (Medium) detected in jackson-databind-2.11.4.jar #17

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.11.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /sitory/com/fasterxml/jackson/core/jackson-databind/2.11.4/jackson-databind-2.11.4.jar

Dependency Hierarchy: - :x: **jackson-databind-2.11.4.jar** (Vulnerable Library)

Found in HEAD commit: 338ae0024bb25a8bbd720eae5b5fbae3875c4bf3

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/issues/3328

Release Date: 2021-11-20

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1