dashbrd / scala-blog Goto Github PK

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.7

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution: io.netty:netty-codec-http:4.1.59.Final

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36189

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36182

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.7

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: 2021-01-07

URL: CVE-2020-36183

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-06-24

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.6

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Publish Date: 2020-03-26

URL: CVE-2020-10969

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969

Release Date: 2020-03-26

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.7.9.7

Vulnerable Library - xercesImpl-2.11.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Path to vulnerable library: /root/.ivy2/cache/xerces/xercesImpl/jars/xercesImpl-2.11.0.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ xercesImpl-2.11.0.jar (Vulnerable Library)

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution: xerces:xercesImpl:2.12.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.0.rc1

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-datatype-jsr310-2.7.8.jar

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/bundles/jackson-datatype-jsr310-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-datatype-jsr310-2.7.8.jar (Vulnerable Library)

Vulnerability Details

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Publish Date: 2018-12-20

URL: CVE-2018-1000873

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000873

Release Date: 2018-12-20

Fix Resolution (com.fasterxml.jackson.datatype:jackson-datatype-jsr310): 2.9.8

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.7.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36185

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.4

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.7

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

Release Date: 2018-01-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.7.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36184

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to vulnerable library: /root/.ivy2/cache/commons-codec/commons-codec/jars/commons-codec-1.10.jar

Dependency Hierarchy:

• play2-reactivemongo_2.11-0.12.0.jar (Root Library)
  • reactivemongo_2.11-0.12.0.jar
    • ❌ commons-codec-1.10.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.4

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - netty-codec-http-4.0.41.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to vulnerable library: /root/.ivy2/cache/io.netty/netty-codec-http/jars/netty-codec-http-4.0.41.Final.jar

Dependency Hierarchy:

• play-netty-server_2.11-2.5.13.jar (Root Library)
  • netty-reactive-streams-http-1.0.8.jar
    • ❌ netty-codec-http-4.0.41.Final.jar (Vulnerable Library)

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-codec-http:4.1.44

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.0.rc1

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.6

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.3

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-core-2.7.8.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-core/bundles/jackson-core-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-core-2.7.8.jar (Vulnerable Library)

Vulnerability Details

In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.

Publish Date: 2018-06-24

URL: WS-2018-0124

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124

Release Date: 2018-01-24

Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.8.6

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.7.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: 2020-04-07

URL: CVE-2020-11619

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619

Release Date: 2020-04-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.0.rc1

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.6

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.7

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525

Release Date: 2017-04-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.1

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - xercesImpl-2.11.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Path to vulnerable library: /root/.ivy2/cache/xerces/xercesImpl/jars/xercesImpl-2.11.0.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ xercesImpl-2.11.0.jar (Vulnerable Library)

Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

Release Date: 2013-07-23

Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36187

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - guava-16.0.1.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries

Path to vulnerable library: /root/.ivy2/cache/com.google.guava/guava/bundles/guava-16.0.1.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • guice-4.0.jar
      • ❌ guava-16.0.1.jar (Vulnerable Library)

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution (com.google.guava:guava): 24.1.1-android

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.7.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Publish Date: 2020-04-07

URL: CVE-2020-11620

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620

Release Date: 2020-04-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-06-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.6

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2017-06-27

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.4

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36186

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Publish Date: 2020-03-26

URL: CVE-2020-10968

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968

Release Date: 2020-03-26

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.0.rc1

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.4

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0

Vulnerable Library - netty-codec-http-4.0.41.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to vulnerable library: /root/.ivy2/cache/io.netty/netty-codec-http/jars/netty-codec-http-4.0.41.Final.jar

Dependency Hierarchy:

• play-netty-server_2.11-2.5.13.jar (Root Library)
  • netty-reactive-streams-http-1.0.8.jar
    • ❌ netty-codec-http-4.0.41.Final.jar (Vulnerable Library)

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929

Release Date: 2017-03-13

Fix Resolution (ch.qos.logback:logback-classic): 1.2.0

Direct dependency fix Resolution (com.typesafe.play:play-logback_2.11): 2.5.14

Vulnerable Library - guava-16.0.1.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries

Path to vulnerable library: /root/.ivy2/cache/com.google.guava/guava/bundles/guava-16.0.1.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • guice-4.0.jar
      • ❌ guava-16.0.1.jar (Vulnerable Library)

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36180

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36188

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.7.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to vulnerable library: /root/.ivy2/cache/com.fasterxml.jackson.core/jackson-databind/bundles/jackson-databind-2.7.8.jar

Dependency Hierarchy:

• play-server_2.11-2.5.13.jar (Root Library)
  • play_2.11-2.5.13.jar
    • ❌ jackson-databind-2.7.8.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.7.9.5

Direct dependency fix Resolution (com.typesafe.play:play-server_2.11): 2.6.0