Findings for Critical

[armorcodegithubapp[bot]]

Findings for Critical A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-17531
• https://github.com/FasterXML/jackson-databind/issues/2498
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://access.redhat.com/errata/RHSA-2019:4192
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E
• https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
• https://security.netapp.com/advisory/ntap-20191024-0005/
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com//security-alerts/cpujul2021.html

• https://github.com/advisories/GHSA-gjmw-vf9h-g25v A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-7525
• https://github.com/FasterXML/jackson-databind/issues/1599
• https://github.com/FasterXML/jackson-databind/issues/1723
• https://access.redhat.com/errata/RHSA-2017:1834
• https://access.redhat.com/errata/RHSA-2017:1835
• https://access.redhat.com/errata/RHSA-2017:1836
• https://access.redhat.com/errata/RHSA-2017:1837
• https://access.redhat.com/errata/RHSA-2017:1839
• https://access.redhat.com/errata/RHSA-2017:1840
• https://access.redhat.com/errata/RHSA-2017:2477
• https://access.redhat.com/errata/RHSA-2017:2546
• https://access.redhat.com/errata/RHSA-2017:2547
• https://access.redhat.com/errata/RHSA-2017:2633
• https://access.redhat.com/errata/RHSA-2017:2635
• https://access.redhat.com/errata/RHSA-2017:2636
• https://access.redhat.com/errata/RHSA-2017:2637
• https://access.redhat.com/errata/RHSA-2017:2638
• https://access.redhat.com/errata/RHSA-2017:3141
• https://access.redhat.com/errata/RHSA-2017:3454
• https://access.redhat.com/errata/RHSA-2017:3455
• https://access.redhat.com/errata/RHSA-2017:3456
• https://access.redhat.com/errata/RHSA-2017:3458
• https://access.redhat.com/errata/RHSA-2018:0294
• https://access.redhat.com/errata/RHSA-2018:0342
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1450
• https://access.redhat.com/errata/RHSA-2019:0910
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3149
• https://bugzilla.redhat.com/show_bug.cgi?id=1462702
• https://cwiki.apache.org/confluence/display/WW/S2-055
• https://github.com/advisories/GHSA-qxxx-2pp7-5hmx
• https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
• https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
• https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
• https://security.netapp.com/advisory/ntap-20171214-0002/
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
• https://www.debian.org/security/2017/dsa-4004
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/99623
• http://www.securitytracker.com/id/1039744
• http://www.securitytracker.com/id/1039947
• http://www.securitytracker.com/id/1040360
• https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E

• https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-8840
• https://github.com/FasterXML/jackson-databind/issues/2620
• https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497
• https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
• https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E
• https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200327-0002/
• https://www.oracle.com/security-alerts/cpuapr2020.html
• http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://github.com/FasterXML/jackson-databind/commit/74aba4042fce35ee0b91bd2847e788c10040d78b
• https://github.com/FasterXML/jackson-databind/commit/9bb52c7122271df75435ec7e66ecf6b02b1ee14f

• https://github.com/advisories/GHSA-4w82-r329-3q67 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-9547
• https://github.com/FasterXML/jackson-databind/issues/2634
• https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200904-0006/
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

• https://github.com/advisories/GHSA-q93h-jc49-78gg jackson-databind in versions prior to 2.8.10 and 2.9.1, contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-15095
• https://github.com/FasterXML/jackson-databind/issues/1680
• https://github.com/FasterXML/jackson-databind/issues/1737
• https://access.redhat.com/errata/RHSA-2017:3189
• https://access.redhat.com/errata/RHSA-2017:3190
• https://access.redhat.com/errata/RHSA-2018:0342
• https://access.redhat.com/errata/RHSA-2018:0478
• https://access.redhat.com/errata/RHSA-2018:0479
• https://access.redhat.com/errata/RHSA-2018:0480
• https://access.redhat.com/errata/RHSA-2018:0481
• https://access.redhat.com/errata/RHSA-2018:0576
• https://access.redhat.com/errata/RHSA-2018:0577
• https://access.redhat.com/errata/RHSA-2018:1447
• https://access.redhat.com/errata/RHSA-2018:1448
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1450
• https://access.redhat.com/errata/RHSA-2018:1451
• https://access.redhat.com/errata/RHSA-2018:2927
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://github.com/advisories/GHSA-h592-38cm-4ggp
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
• https://security.netapp.com/advisory/ntap-20171214-0003/
• https://www.debian.org/security/2017/dsa-4037
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/103880

• http://www.securitytracker.com/id/1039769 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-14719
• https://github.com/FasterXML/jackson-databind/issues/2097
• https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
• https://access.redhat.com/errata/RHBA-2019:0959
• https://access.redhat.com/errata/RHSA-2019:0782
• https://access.redhat.com/errata/RHSA-2019:0877
• https://access.redhat.com/errata/RHSA-2019:1782
• https://access.redhat.com/errata/RHSA-2019:1797
• https://access.redhat.com/errata/RHSA-2019:1822
• https://access.redhat.com/errata/RHSA-2019:1823
• https://access.redhat.com/errata/RHSA-2019:2804
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3002
• https://access.redhat.com/errata/RHSA-2019:3140
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://access.redhat.com/errata/RHSA-2019:4037
• https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
• https://github.com/advisories/GHSA-4gq5-ch57-c2mg
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
• https://seclists.org/bugtraq/2019/May/68
• https://security.netapp.com/advisory/ntap-20190530-0003/
• https://www.debian.org/security/2019/dsa-4452
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-11307
• https://access.redhat.com/errata/RHSA-2019:0782
• https://github.com/FasterXML/jackson-databind/issues/2032
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://nvd.nist.gov/vuln/detail/CVE-2017-7525
• https://access.redhat.com/errata/RHSA-2019:1822
• https://access.redhat.com/errata/RHSA-2019:1823
• https://access.redhat.com/errata/RHSA-2019:2804
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3002
• https://access.redhat.com/errata/RHSA-2019:3140
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://access.redhat.com/errata/RHSA-2019:4037
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

• https://github.com/advisories/GHSA-qr7j-h6gg-jmgc A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10202
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202
• https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E
• https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E
• https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E
• https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E
• https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E
• https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E

• https://github.com/advisories/GHSA-c27h-mcmw-48hv SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-14379
• https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
• https://github.com/FasterXML/jackson-databind/issues/2387
• https://access.redhat.com/errata/RHBA-2019:2824
• https://access.redhat.com/errata/RHSA-2019:2743
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:2935
• https://access.redhat.com/errata/RHSA-2019:2936
• https://access.redhat.com/errata/RHSA-2019:2937
• https://access.redhat.com/errata/RHSA-2019:2938
• https://access.redhat.com/errata/RHSA-2019:2998
• https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
• https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E
• https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
• https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E
• https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
• https://security.netapp.com/advisory/ntap-20190814-0001/
• https://access.redhat.com/errata/RHSA-2019:3044
• https://access.redhat.com/errata/RHSA-2019:3045
• https://access.redhat.com/errata/RHSA-2019:3046
• https://access.redhat.com/errata/RHSA-2019:3050
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3200
• https://access.redhat.com/errata/RHSA-2019:3292
• https://access.redhat.com/errata/RHSA-2019:3297
• https://access.redhat.com/errata/RHSA-2019:3901
• https://access.redhat.com/errata/RHSA-2020:0727
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://support.apple.com/kb/HT213189
• http://seclists.org/fulldisclosure/2022/Mar/23

• https://github.com/advisories/GHSA-6fpp-rgj9-8rwc A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-17267
• https://github.com/FasterXML/jackson-databind/issues/2460
• https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10
• https://access.redhat.com/errata/RHSA-2019:3200
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
• https://security.netapp.com/advisory/ntap-20191017-0006/
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html

• https://github.com/advisories/GHSA-f3j5-rmmp-3fc5 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-16943
• https://github.com/FasterXML/jackson-databind/issues/2478
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
• https://seclists.org/bugtraq/2019/Oct/6
• https://security.netapp.com/advisory/ntap-20191017-0006/
• https://www.debian.org/security/2019/dsa-4542
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com//security-alerts/cpujul2021.html

• https://github.com/advisories/GHSA-fmmc-742q-jg75 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-14540
• https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
• https://github.com/FasterXML/jackson-databind/issues/2410
• https://github.com/FasterXML/jackson-databind/issues/2449
• https://access.redhat.com/errata/RHSA-2019:3200
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
• https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
• https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E
• https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
• https://seclists.org/bugtraq/2019/Oct/6
• https://security.netapp.com/advisory/ntap-20191004-0002/
• https://www.debian.org/security/2019/dsa-4542
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html

• https://github.com/advisories/GHSA-h822-r4r5-v8jg FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-14718
• https://github.com/FasterXML/jackson-databind/issues/2097
• https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
• https://access.redhat.com/errata/RHBA-2019:0959
• https://access.redhat.com/errata/RHSA-2019:0782
• https://access.redhat.com/errata/RHSA-2019:0877
• https://access.redhat.com/errata/RHSA-2019:1782
• https://access.redhat.com/errata/RHSA-2019:1797
• https://access.redhat.com/errata/RHSA-2019:1822
• https://access.redhat.com/errata/RHSA-2019:1823
• https://access.redhat.com/errata/RHSA-2019:2804
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3002
• https://access.redhat.com/errata/RHSA-2019:3140
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://access.redhat.com/errata/RHSA-2019:4037
• https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
• https://github.com/advisories/GHSA-645p-88qh-w398
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
• https://seclists.org/bugtraq/2019/May/68
• https://security.netapp.com/advisory/ntap-20190530-0003/
• https://www.debian.org/security/2019/dsa-4452
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

• http://www.securityfocus.com/bid/106601 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-16335
• https://github.com/FasterXML/jackson-databind/issues/2449
• https://access.redhat.com/errata/RHSA-2019:3200
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://access.redhat.com/errata/RHSA-2020:0729
• https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
• https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
• https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E
• https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
• https://seclists.org/bugtraq/2019/Oct/6
• https://security.netapp.com/advisory/ntap-20191004-0002/
• https://www.debian.org/security/2019/dsa-4542
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html

• https://github.com/advisories/GHSA-85cw-hj65-qqv9 FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-20330
• https://github.com/FasterXML/jackson-databind/issues/2526
• https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2
• https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036eefccef74cdd44@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae70d0c5fefc17e6c@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646455c4f3e7a3c94@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d945351879e2e267517f@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33ddc590cd81d82393@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7efbe7d04625425b3@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37ce0a6bd139a2e4f@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a6e26a848961764@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b1278ddd99d2428b2@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb0aa9a8b29a59a2@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af029e1dc91ba744@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2bd869af24056a63@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4f9911bdffebf95@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf0476bf7c7ed877af8@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653e56ae83e9685d0@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/ra8a80dbc7319916946397823aec0d893d24713cbf7b5aee0e957298c@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rb532fed78d031fff477fd840b81946f6d1200f93a63698dae65aa528@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rd1f346227e11fc515914f3a7b20d81543e51e5822ba71baa0452634a@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd49cfa41bbb71ef33b53736a6af2aa8ba88c2106e30f2a34902a87d2@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd6c6fef14944f3dcfb58d35f9317eb1c32a700e86c1b5231e45d3d0b@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rfa57d9c2a27d3af14c69607fb1a3da00e758b2092aa88eb6a51b6e99@%3Cissues.zookeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
• https://security.netapp.com/advisory/ntap-20200127-0004/
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com//security-alerts/cpujul2021.html

• https://github.com/advisories/GHSA-gww7-p5w4-wrfv A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-16942
• https://github.com/FasterXML/jackson-databind/issues/2478
• https://issues.apache.org/jira/browse/GEODE-7255
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://access.redhat.com/errata/RHSA-2019:3901
• https://access.redhat.com/errata/RHSA-2020:0159
• https://access.redhat.com/errata/RHSA-2020:0160
• https://access.redhat.com/errata/RHSA-2020:0161
• https://access.redhat.com/errata/RHSA-2020:0164
• https://access.redhat.com/errata/RHSA-2020:0445
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E
• https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
• https://seclists.org/bugtraq/2019/Oct/6
• https://security.netapp.com/advisory/ntap-20191017-0006/
• https://www.debian.org/security/2019/dsa-4542
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html

• https://github.com/advisories/GHSA-mx7p-6679-8g3q FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-7489
• https://github.com/FasterXML/jackson-databind/issues/1931
• https://access.redhat.com/errata/RHSA-2018:1447
• https://access.redhat.com/errata/RHSA-2018:1448
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1450
• https://access.redhat.com/errata/RHSA-2018:1451
• https://access.redhat.com/errata/RHSA-2018:1786
• https://access.redhat.com/errata/RHSA-2018:2088
• https://access.redhat.com/errata/RHSA-2018:2089
• https://access.redhat.com/errata/RHSA-2018:2090
• https://access.redhat.com/errata/RHSA-2018:2938
• https://access.redhat.com/errata/RHSA-2018:2939
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3149
• https://github.com/advisories/GHSA-cggj-fvv3-cqwv
• https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E
• https://security.netapp.com/advisory/ntap-20180328-0001/
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
• https://www.debian.org/security/2018/dsa-4190
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/103203
• http://www.securitytracker.com/id/1040693

• http://www.securitytracker.com/id/1041890 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-9548
• https://github.com/FasterXML/jackson-databind/issues/2634
• https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
• https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200904-0006/
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

• https://github.com/advisories/GHSA-p43x-xfjf-5jhr FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

  References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-17485
• https://github.com/FasterXML/jackson-databind/issues/1855
• https://access.redhat.com/errata/RHSA-2018:0116
• https://access.redhat.com/errata/RHSA-2018:0342
• https://access.redhat.com/errata/RHSA-2018:0478
• https://access.redhat.com/errata/RHSA-2018:0479
• https://access.redhat.com/errata/RHSA-2018:0480
• https://access.redhat.com/errata/RHSA-2018:0481
• https://access.redhat.com/errata/RHSA-2018:1447
• https://access.redhat.com/errata/RHSA-2018:1448
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1450
• https://access.redhat.com/errata/RHSA-2018:1451
• https://access.redhat.com/errata/RHSA-2018:2930
• https://access.redhat.com/errata/RHSA-2019:1782
• https://access.redhat.com/errata/RHSA-2019:1797
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://github.com/advisories/GHSA-rfx6-vp9g-rh7v
• https://github.com/irsl/jackson-rce-via-spel/
• https://security.netapp.com/advisory/ntap-20180201-0003/
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
• https://www.debian.org/security/2018/dsa-4114
• https://www.oracle.com/security-alerts/cpuoct2020.html
• http://www.securityfocus.com/archive/1/541652/100/0/threaded

[armorcodegithubapp[bot]]

Finding [138476501|https://app.armorcode.com/#/findings/185/656/138476501] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476506|https://app.armorcode.com/#/findings/185/656/138476506] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476479|https://app.armorcode.com/#/findings/185/656/138476479] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476515|https://app.armorcode.com/#/findings/185/656/138476515] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476476|https://app.armorcode.com/#/findings/185/656/138476476] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476508|https://app.armorcode.com/#/findings/185/656/138476508] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476469|https://app.armorcode.com/#/findings/185/656/138476469] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476500|https://app.armorcode.com/#/findings/185/656/138476500] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476521|https://app.armorcode.com/#/findings/185/656/138476521] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476504|https://app.armorcode.com/#/findings/185/656/138476504] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476470|https://app.armorcode.com/#/findings/185/656/138476470] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476502|https://app.armorcode.com/#/findings/185/656/138476502] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476509|https://app.armorcode.com/#/findings/185/656/138476509] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476473|https://app.armorcode.com/#/findings/185/656/138476473] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476514|https://app.armorcode.com/#/findings/185/656/138476514] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476472|https://app.armorcode.com/#/findings/185/656/138476472] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476503|https://app.armorcode.com/#/findings/185/656/138476503] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476507|https://app.armorcode.com/#/findings/185/656/138476507] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform

[armorcodegithubapp[bot]]

Finding [138476477|https://app.armorcode.com/#/findings/185/656/138476477] status changed from Open to Confirmed Note:
by SYSTEM via ArmorCode Platform