mohib-hub / karate Goto Github PK
View Code? Open in Web Editor NEWThis project forked from karatelabs/karate
Test Automation Made Simple
Home Page: https://intuit.github.io/karate/
License: MIT License
karate's People
Contributors
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
karate's Issues
CVE-2019-14892 (High) detected in multiple libraries
CVE-2019-14892 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14892
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2462
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10
CVE-2017-18640 (High) detected in snakeyaml-1.24.jar, snakeyaml-1.17.jar
CVE-2017-18640 - High Severity Vulnerability
Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.17.jar
snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
- karate-junit5-0.9.5.jar (Root Library)
- karate-core-0.9.5.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- karate-core-0.9.5.jar
snakeyaml-1.17.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.17/7a27ea250c5130b2922b86dea63cbb1cc10a660c/snakeyaml-1.17.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.17/7a27ea250c5130b2922b86dea63cbb1cc10a660c/snakeyaml-1.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-1.5.3.RELEASE.jar
- ❌ snakeyaml-1.17.jar (Vulnerable Library)
- spring-boot-starter-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: org.yaml:snakeyaml:1.26
CVE-2018-19361 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-19361 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution: 2.9.8
CVE-2018-7489 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-7489 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Publish Date: 2018-02-26
URL: CVE-2018-7489
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489
Release Date: 2018-02-26
Fix Resolution: 2.8.11.1,2.9.5
CVE-2018-8014 (High) detected in tomcat-embed-core-8.5.14.jar
CVE-2018-8014 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Publish Date: 2018-05-16
URL: CVE-2018-8014
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014
Release Date: 2018-05-16
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.10,8.5.32,8.0.53,7.0.90,org.apache.tomcat:tomcat-catalina:9.0.10,8.5.32,8.0.53,7.0.90
CVE-2019-11272 (High) detected in spring-security-core-4.2.2.RELEASE.jar
CVE-2019-11272 - High Severity Vulnerability
Vulnerable Library - spring-security-core-4.2.2.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-security-1.5.3.RELEASE.jar (Root Library)
- spring-security-web-4.2.2.RELEASE.jar
- ❌ spring-security-core-4.2.2.RELEASE.jar (Vulnerable Library)
- spring-security-web-4.2.2.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Publish Date: 2019-06-26
URL: CVE-2019-11272
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272
Release Date: 2019-06-26
Fix Resolution: org.springframework.security:spring-security-core:4.2.13.RELEASE
CVE-2019-14379 (High) detected in multiple libraries
CVE-2019-14379 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution: 2.9.9.2
CVE-2018-8037 (Medium) detected in tomcat-embed-core-8.5.14.jar
CVE-2018-8037 - Medium Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Publish Date: 2018-08-02
URL: CVE-2018-8037
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037
Release Date: 2018-08-02
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.10,8.5.32,org.apache.tomcat:tomcat-coyote:9.0.10,8.5.32
CVE-2018-14721 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-14721 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3
CVE-2019-12086 (High) detected in multiple libraries
CVE-2019-12086 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
CVE-2018-19360 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-19360 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.5,2.8.11.3,2.9.8,2.10.0.pr1
CVE-2018-1271 (Medium) detected in spring-webmvc-4.3.8.RELEASE.jar
CVE-2018-1271 - Medium Severity Vulnerability
Vulnerable Library - spring-webmvc-4.3.8.RELEASE.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.8.RELEASE/7a00452c350de0fb80ecbcecfb8ce0145c46141e/spring-webmvc-4.3.8.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.8.RELEASE/7a00452c350de0fb80ecbcecfb8ce0145c46141e/spring-webmvc-4.3.8.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ spring-webmvc-4.3.8.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: 2018-04-06
URL: CVE-2018-1271
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
CVE-2018-14719 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-14719 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
Release Date: 2019-01-02
Fix Resolution: 2.9.7
CVE-2020-10673 (High) detected in multiple libraries
CVE-2020-10673 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
Publish Date: 2020-03-18
URL: CVE-2020-10673
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2660
Release Date: 2020-03-18
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4
CVE-2019-17531 (High) detected in multiple libraries
CVE-2019-17531 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
CVE-2018-19362 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-19362 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.9.8
CVE-2017-7674 (Medium) detected in tomcat-embed-core-8.5.14.jar
CVE-2017-7674 - Medium Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Publish Date: 2017-08-11
URL: CVE-2017-7674
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674
Release Date: 2017-08-11
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M22,8.5.16,8.0.45,7.0.79,org.apache.tomcat:tomcat-catalina:9.0.0.M22,8.5.16,8.0.45,7.0.79
CVE-2019-20445 (High) detected in netty-codec-http-4.1.32.Final.jar
CVE-2019-20445 - High Severity Vulnerability
Vulnerable Library - netty-codec-http-4.1.32.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-recorder-3.0.2.jar
- ❌ netty-codec-http-4.1.32.Final.jar (Vulnerable Library)
- gatling-recorder-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-codec-http:4.1.44
CVE-2018-12022 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-12022 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12022
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
CVE-2017-12617 (High) detected in tomcat-embed-core-8.5.14.jar
CVE-2017-12617 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Publish Date: 2017-10-04
URL: CVE-2017-12617
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
Release Date: 2017-10-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.1,7.0.82,8.0.47,8.5.23,org.apache.tomcat:tomcat-catalina:9.0.1,7.0.82,8.0.47,8.5.23
CVE-2019-20444 (High) detected in netty-codec-http-4.1.32.Final.jar
CVE-2019-20444 - High Severity Vulnerability
Vulnerable Library - netty-codec-http-4.1.32.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-recorder-3.0.2.jar
- ❌ netty-codec-http-4.1.32.Final.jar (Vulnerable Library)
- gatling-recorder-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
WS-2019-0379 (Medium) detected in commons-codec-1.11.jar, commons-codec-1.10.jar
WS-2019-0379 - Medium Severity Vulnerability
Vulnerable Libraries - commons-codec-1.11.jar, commons-codec-1.10.jar
commons-codec-1.11.jar
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
- karate-apache-0.9.5.jar (Root Library)
- httpclient-4.5.11.jar
- ❌ commons-codec-1.11.jar (Vulnerable Library)
- httpclient-4.5.11.jar
commons-codec-1.10.jar
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Dependency Hierarchy:
- karate-netty-0.9.2.jar (Root Library)
- karate-apache-0.9.2.jar
- httpclient-4.5.3.jar
- ❌ commons-codec-1.10.jar (Vulnerable Library)
- httpclient-4.5.3.jar
- karate-apache-0.9.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
CVE-2018-14720 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-14720 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
CVE-2019-14893 (High) detected in multiple libraries
CVE-2019-14893 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14893
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0
CVE-2017-7525 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2017-7525 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Publish Date: 2018-02-06
URL: CVE-2017-7525
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
Release Date: 2018-02-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.1,2.7.9.1,2.8.9
CVE-2019-3795 (Medium) detected in spring-security-core-4.2.2.RELEASE.jar
CVE-2019-3795 - Medium Severity Vulnerability
Vulnerable Library - spring-security-core-4.2.2.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-security-1.5.3.RELEASE.jar (Root Library)
- spring-security-web-4.2.2.RELEASE.jar
- ❌ spring-security-core-4.2.2.RELEASE.jar (Vulnerable Library)
- spring-security-web-4.2.2.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Publish Date: 2019-04-09
URL: CVE-2019-3795
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2019-3795
Release Date: 2019-04-08
Fix Resolution: 4.2.12,5.0.12,5.1.5
CVE-2017-7675 (High) detected in tomcat-embed-core-8.5.14.jar
CVE-2017-7675 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.
Publish Date: 2017-08-11
URL: CVE-2017-7675
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-8.html
Release Date: 2017-08-11
Fix Resolution: 9.0.0.M22,8.5.16
CVE-2018-11775 (High) detected in activemq-client-5.15.2.jar, activemq-broker-5.15.2.jar
CVE-2018-11775 - High Severity Vulnerability
Vulnerable Libraries - activemq-client-5.15.2.jar, activemq-broker-5.15.2.jar
activemq-client-5.15.2.jar
The ActiveMQ Client implementation
Library home page: http://activemq.apache.org
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar,le/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar
Dependency Hierarchy:
- activemq-broker-5.15.2.jar (Root Library)
- activemq-openwire-legacy-5.14.5.jar
- ❌ activemq-client-5.15.2.jar (Vulnerable Library)
- activemq-openwire-legacy-5.14.5.jar
activemq-broker-5.15.2.jar
The ActiveMQ Message Broker implementation
Library home page: http://activemq.apache.org
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.apache.activemq/activemq-broker/5.15.2/f074023206a24eda1dea2a4fd78ce28d19e64bd/activemq-broker-5.15.2.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.activemq/activemq-broker/5.15.2/f074023206a24eda1dea2a4fd78ce28d19e64bd/activemq-broker-5.15.2.jar,le/caches/modules-2/files-2.1/org.apache.activemq/activemq-broker/5.15.2/f074023206a24eda1dea2a4fd78ce28d19e64bd/activemq-broker-5.15.2.jar
Dependency Hierarchy:
- ❌ activemq-broker-5.15.2.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
Publish Date: 2018-09-10
URL: CVE-2018-11775
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
Release Date: 2018-09-10
Fix Resolution: org.apache.activemq:activemq-broker:5.15.6;org.apache.activemq:activemq-client:5.15.6;org.apache.activemq:activemq-all:5.15.6
CVE-2019-16943 (High) detected in multiple libraries
CVE-2019-16943 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
CVE-2019-20330 (High) detected in multiple libraries
CVE-2019-20330 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2526
Release Date: 2020-01-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2
CVE-2018-14718 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-14718 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
Release Date: 2019-01-02
Fix Resolution: 2.9.7
CVE-2019-14540 (High) detected in multiple libraries
CVE-2019-14540 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1
CVE-2017-15709 (Low) detected in activemq-client-5.15.2.jar
CVE-2017-15709 - Low Severity Vulnerability
Vulnerable Library - activemq-client-5.15.2.jar
The ActiveMQ Client implementation
Library home page: http://activemq.apache.org
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar,le/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.activemq/activemq-client/5.15.2/5016f800482cfc19b50d08b9ab1482c813ea36ec/activemq-client-5.15.2.jar
Dependency Hierarchy:
- activemq-broker-5.15.2.jar (Root Library)
- activemq-openwire-legacy-5.14.5.jar
- ❌ activemq-client-5.15.2.jar (Vulnerable Library)
- activemq-openwire-legacy-5.14.5.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.
Publish Date: 2018-02-13
URL: CVE-2017-15709
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15709
Release Date: 2018-02-13
Fix Resolution: 5.15.3
CVE-2019-17267 (High) detected in multiple libraries
CVE-2019-17267 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2460
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10
CVE-2018-11307 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-11307 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2032
Release Date: 2019-03-17
Fix Resolution: jackson-databind-2.9.6
CVE-2019-10072 (High) detected in tomcat-embed-core-8.5.14.jar
CVE-2019-10072 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-06-21
URL: CVE-2019-10072
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
Release Date: 2019-06-21
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.20,8.5.41,org.apache.tomcat:tomcat-coyote:9.0.20,8.5.41
CVE-2018-8034 (High) detected in tomcat-embed-websocket-8.5.14.jar
CVE-2018-8034 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-websocket-8.5.14.jar
Core Tomcat implementation
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/8.5.14/254667b21d391dac7b1bc241c24be271d772caf7/tomcat-embed-websocket-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/8.5.14/254667b21d391dac7b1bc241c24be271d772caf7/tomcat-embed-websocket-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- ❌ tomcat-embed-websocket-8.5.14.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Publish Date: 2018-08-01
URL: CVE-2018-8034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034
Release Date: 2018-08-01
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-websocket:9.0.10,8.5.32,8.0.53,7.0.90,org.apache.tomcat:tomcat-catalina:9.0.10,8.5.32,8.0.53,7.0.90
CVE-2017-4995 (High) detected in spring-security-core-4.2.2.RELEASE.jar
CVE-2017-4995 - High Severity Vulnerability
Vulnerable Library - spring-security-core-4.2.2.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/4.2.2.RELEASE/b4797b71d9f7d1a4b76b5d095ac20868369a8c31/spring-security-core-4.2.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-security-1.5.3.RELEASE.jar (Root Library)
- spring-security-web-4.2.2.RELEASE.jar
- ❌ spring-security-core-4.2.2.RELEASE.jar (Vulnerable Library)
- spring-security-web-4.2.2.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
Publish Date: 2017-11-27
URL: CVE-2017-4995
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4995
Release Date: 2017-11-27
Fix Resolution: org.springframework.security:spring-security-core:5.0.0.M5
CVE-2018-11040 (Medium) detected in multiple libraries
CVE-2018-11040 - Medium Severity Vulnerability
Vulnerable Libraries - spring-webmvc-4.3.8.RELEASE.jar, spring-web-4.3.8.RELEASE.jar, spring-websocket-4.3.8.RELEASE.jar
spring-webmvc-4.3.8.RELEASE.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.8.RELEASE/7a00452c350de0fb80ecbcecfb8ce0145c46141e/spring-webmvc-4.3.8.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.8.RELEASE/7a00452c350de0fb80ecbcecfb8ce0145c46141e/spring-webmvc-4.3.8.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ spring-webmvc-4.3.8.RELEASE.jar (Vulnerable Library)
spring-web-4.3.8.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/4.3.8.RELEASE/ec1b675c2e234b0c776d36ed56c691520030026f/spring-web-4.3.8.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/4.3.8.RELEASE/ec1b675c2e234b0c776d36ed56c691520030026f/spring-web-4.3.8.RELEASE.jar
Dependency Hierarchy:
- spring-websocket-4.3.8.RELEASE.jar (Root Library)
- ❌ spring-web-4.3.8.RELEASE.jar (Vulnerable Library)
spring-websocket-4.3.8.RELEASE.jar
Spring WebSocket
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.springframework/spring-websocket/4.3.8.RELEASE/8ad202048e01ba8abfd74cc2d0032c6722e1c65b/spring-websocket-4.3.8.RELEASE.jar,le/caches/modules-2/files-2.1/org.springframework/spring-websocket/4.3.8.RELEASE/8ad202048e01ba8abfd74cc2d0032c6722e1c65b/spring-websocket-4.3.8.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-websocket-4.3.8.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040
Release Date: 2018-06-25
Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-webmvc:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-websocket:5.0.7.RELEASE,4.3.18.RELEASE
CVE-2020-8840 (High) detected in multiple libraries
CVE-2020-8840 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2620
Release Date: 2020-02-10
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3
CVE-2018-5968 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-5968 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution: 2.8.11.1, 2.9.4
CVE-2019-14439 (High) detected in multiple libraries
CVE-2019-14439 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.9.9.2
CVE-2019-16335 (High) detected in multiple libraries
CVE-2019-16335 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2020-10-20
Fix Resolution: 2.9.10
CVE-2019-0199 (High) detected in tomcat-embed-core-8.5.14.jar
CVE-2019-0199 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.14.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.14/7ce577af04cadd7ab4b36f71503fc688d5d52ccf/tomcat-embed-core-8.5.14.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
- tomcat-embed-websocket-8.5.14.jar
- ❌ tomcat-embed-core-8.5.14.jar (Vulnerable Library)
- tomcat-embed-websocket-8.5.14.jar
- spring-boot-starter-tomcat-1.5.3.RELEASE.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-04-10
URL: CVE-2019-0199
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
Release Date: 2019-04-10
Fix Resolution: rg.apache.tomcat.embed:tomcat-embed-core:9.0.16,8.5.38,org.apache.tomcat:tomcat-coyote:9.0.16,8.5.38
CVE-2018-12023 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2018-12023 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12023
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
CVE-2019-12814 (Medium) detected in multiple libraries
CVE-2019-12814 - Medium Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2341
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0
CVE-2019-12384 (Medium) detected in multiple libraries
CVE-2019-12384 - Medium Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar, jackson-databind-2.9.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
jackson-databind-2.9.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212748/jackson-databind-2.9.8.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-core-3.0.2.jar
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)
- gatling-core-3.0.2.jar
- gatling-charts-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Publish Date: 2019-06-24
URL: CVE-2019-12384
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
Release Date: 2019-06-24
Fix Resolution: 2.9.9.1
CVE-2017-15095 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2017-15095 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2018-02-06
Fix Resolution: 2.8.10,2.9.1
CVE-2019-16869 (High) detected in netty-codec-http-4.1.32.Final.jar
CVE-2019-16869 - High Severity Vulnerability
Vulnerable Library - netty-codec-http-4.1.32.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: karate/examples/gatling/build.gradle
Path to vulnerable library: /tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar,/tmp/ws-ua_20200323212715/downloadResource_20478f94-1633-47a1-ad79-827f8481d3e7/20200323212749/netty-codec-http-4.1.32.Final.jar
Dependency Hierarchy:
- karate-gatling-0.9.5.jar (Root Library)
- gatling-charts-highcharts-3.0.2.jar
- gatling-recorder-3.0.2.jar
- ❌ netty-codec-http-4.1.32.Final.jar (Vulnerable Library)
- gatling-recorder-3.0.2.jar
- gatling-charts-highcharts-3.0.2.jar
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution: io.netty:netty-all:4.1.42.Final,io.netty:netty-codec-http:4.1.42.Final
CVE-2017-17485 (High) detected in jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
CVE-2017-17485 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.5.jar, jackson-databind-2.8.8.jar
jackson-databind-2.8.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/examples/jobserver/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.5/b3035f37e674c04dafe36a660c3815cc59f764e2/jackson-databind-2.8.5.jar
Dependency Hierarchy:
- cucumber-reporting-3.8.0.jar (Root Library)
- ❌ jackson-databind-2.8.5.jar (Vulnerable Library)
jackson-databind-2.8.8.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: karate/karate-demo/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.8/bf88c7b27e95cbadce4e7c316a56c3efffda8026/jackson-databind-2.8.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.3.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.8.jar (Vulnerable Library)
Found in HEAD commit: c8766c8277306046ef9c6f01148b98b0d2bafe02
Vulnerability Details
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Publish Date: 2018-01-10
URL: CVE-2017-17485
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: FasterXML/jackson-databind@2235894
Release Date: 2017-12-19
Fix Resolution: Replace or update the following files: SubTypeValidator.java, BeanDeserializerFactory.java
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.