CVE-2019-12814 (Medium) detected in multiple libraries - autoclosed

[mend-for-github-com[bot]]

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar, jackson-databind-2.8.10.jar

jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-validate-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy: - tika-parsers-1.18.jar (Root Library) - :x: **jackson-databind-2.9.5.jar** (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-summary-report-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy: - spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library) - spring-boot-starter-json-2.1.5.RELEASE.jar - :x: **jackson-databind-2.9.8.jar** (Vulnerable Library)

jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /web/nibrs-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy: - :x: **jackson-databind-2.9.6.jar** (Vulnerable Library)

jackson-databind-2.8.10.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-fbi-service/pom.xml

Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar

Dependency Hierarchy: - :x: **jackson-databind-2.8.10.jar** (Vulnerable Library)

Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-06-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9.1

Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.22

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.10.RELEASE

---

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.