Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.0.18.RELEASE/spring-security-oauth2-2.0.18.RELEASE.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.0.18.RELEASE/spring-security-oauth2-2.0.18.RELEASE.jar
Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.
Module for providing OAuth2 support to Spring Security
Library home page: https://docs.spring.io/spring-security/oauth
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.0.18.RELEASE/spring-security-oauth2-2.0.18.RELEASE.jar
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10202
### Vulnerable Library - jackson-mapper-asl-1.9.13.jarData Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar
Dependency Hierarchy: - spring-security-oauth2-2.0.18.RELEASE.jar (Root Library) - :x: **jackson-mapper-asl-1.9.13.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` com.box.l10n.mojito.security.WebSecurityConfig (Application) -> org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration (Extension) -> org.springframework.security.oauth2.provider.client.JdbcClientDetailsService (Extension) -> org.springframework.security.oauth2.provider.client.JdbcClientDetailsService$JacksonMapper (Extension) -> org.codehaus.jackson.map.ObjectMapper (Extension) -> org.codehaus.jackson.map.deser.StdDeserializerProvider (Extension) -> ❌ org.codehaus.jackson.map.deser.BeanDeserializerFactory (Vulnerable Component) ``` ### Vulnerability DetailsA series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.5%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0
CVE-2019-10172
### Vulnerable Library - jackson-mapper-asl-1.9.13.jarData Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar
Dependency Hierarchy: - spring-security-oauth2-2.0.18.RELEASE.jar (Root Library) - :x: **jackson-mapper-asl-1.9.13.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsA flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Publish Date: 2019-11-18
URL: CVE-2019-10172
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
Release Date: 2019-11-18
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1
CVE-2022-22969
### Vulnerable Library - spring-security-oauth2-2.0.18.RELEASE.jarModule for providing OAuth2 support to Spring Security
Library home page: https://docs.spring.io/spring-security/oauth
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/oauth/spring-security-oauth2/2.0.18.RELEASE/spring-security-oauth2-2.0.18.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-oauth2-2.0.18.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 012e83ee9b10e35eced839f51b8019c57f33234b
Found in base branch: main
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability Details Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.
### Threat AssessmentPublish Date: 2022-04-21
URL: CVE-2022-22969
Exploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22969
Release Date: 2022-04-21
Fix Resolution: 2.5.2.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.