search

snowdensb / nibrs

Source code for SEARCH's National Incident-Based Reporting System (NIBRS) toolkit
Apache License 2.0
0 stars 0 forks source link

CVE-2020-36518 (High) detected in multiple libraries - autoclosed #337

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 2 years ago

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.8.10.jar, jackson-databind-2.9.5.jar, jackson-databind-2.9.6.jar, jackson-databind-2.9.8.jar

jackson-databind-2.8.10.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-fbi-service/pom.xml

Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar

Dependency Hierarchy: - :x: **jackson-databind-2.8.10.jar** (Vulnerable Library)

jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-validate-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy: - tika-parsers-1.18.jar (Root Library) - :x: **jackson-databind-2.9.5.jar** (Vulnerable Library)

jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /web/nibrs-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy: - :x: **jackson-databind-2.9.6.jar** (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-summary-report-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy: - spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library) - spring-boot-starter-json-2.1.5.RELEASE.jar - :x: **jackson-databind-2.9.8.jar** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.28

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.