incplusplus / betterstat-server Goto Github PK

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /betterstat-server/src/main/resources/templates/registration.html

Path to vulnerable library: /betterstat-server/src/main/resources/templates/registration.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.1.6.RELEASE.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 45637e6bb6b0f97b5e780529f31e29027be6941a

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@5f7c69b

Release Date: 2019-06-14

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - tomcat-embed-core-8.5.32.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-2.0.4.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.32.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-04-10

URL: CVE-2019-0199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199

Release Date: 2019-04-10

Fix Resolution: 8.5.38,9.0.14

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 355ad114e6dc389e93d19a3701967aac1e4a51c5

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267

Release Date: 2019-10-07

Fix Resolution: 2.9.10

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /betterstat-server/src/main/resources/templates/registration.html

Path to vulnerable library: /betterstat-server/src/main/resources/templates/registration.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • httpclient-4.5.6.jar
    • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.1.6.RELEASE.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 7312eabe2650dc8d2e466d5ae2884273a9048247

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Vulnerable Library - jackson-datatype-jsr310-2.9.6.jar

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

Library home page: https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.9.6/jackson-datatype-jsr310-2.9.6.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.4.RELEASE.jar
    • ❌ jackson-datatype-jsr310-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Publish Date: 2018-12-20

URL: CVE-2018-1000873

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873

Release Date: 2018-12-20

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 13ad453afc5071335c9fb81c7c09ed1014f29428

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 8870d81ea655a8a3b5777eeff228a966cd404b53

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267

Release Date: 2019-10-07

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.1.6.RELEASE.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 7312eabe2650dc8d2e466d5ae2884273a9048247

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Vulnerable Library - jackson-datatype-jsr310-2.9.6.jar

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

Library home page: https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.9.6/jackson-datatype-jsr310-2.9.6.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.4.RELEASE.jar
    • ❌ jackson-datatype-jsr310-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Publish Date: 2018-12-20

URL: CVE-2018-1000873

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873

Release Date: 2018-12-20

Fix Resolution: 2.9.8

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /betterstat-server/src/main/resources/templates/registration.html

Path to vulnerable library: /betterstat-server/src/main/resources/templates/registration.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - spring-security-core-5.0.7.RELEASE.jar

spring-security-core

Library home page: http://spring.io/spring-security

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/security/spring-security-core/5.0.7.RELEASE/spring-security-core-5.0.7.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-security-2.0.4.RELEASE.jar (Root Library)
  • spring-security-config-5.0.7.RELEASE.jar
    • ❌ spring-security-core-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Publish Date: 2019-04-09

URL: CVE-2019-3795

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2019-3795

Release Date: 2019-04-08

Fix Resolution: 4.2.12,5.0.12,5.1.5

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 13ad453afc5071335c9fb81c7c09ed1014f29428

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • httpclient-4.5.6.jar
    • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 2e5dd203e5022f8c31526e99fe0648c43a2ec1b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: 2.10.0.pr1

Vulnerable Library - spring-security-core-5.0.7.RELEASE.jar

spring-security-core

Library home page: http://spring.io/spring-security

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/security/spring-security-core/5.0.7.RELEASE/spring-security-core-5.0.7.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-security-2.0.4.RELEASE.jar (Root Library)
  • spring-security-config-5.0.7.RELEASE.jar
    • ❌ spring-security-core-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Publish Date: 2019-04-09

URL: CVE-2019-3795

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2019-3795

Release Date: 2019-04-08

Fix Resolution: 4.2.12,5.0.12,5.1.5

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: c1b50a6fcb8be7a68aa51f4eb1129649c8245204

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 355ad114e6dc389e93d19a3701967aac1e4a51c5

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerable Library - tomcat-embed-core-8.5.32.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-2.0.4.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.32.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-04-10

URL: CVE-2019-0199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199

Release Date: 2019-04-10

Fix Resolution: 8.5.38,9.0.14

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - spring-web-5.0.8.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-web/5.0.8.RELEASE/spring-web-5.0.8.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • ❌ spring-web-5.0.8.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /betterstat-server/src/main/resources/templates/registration.html

Path to vulnerable library: /betterstat-server/src/main/resources/templates/registration.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.0.M5.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 2e5dd203e5022f8c31526e99fe0648c43a2ec1b1

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - spring-web-5.0.8.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-web/5.0.8.RELEASE/spring-web-5.0.8.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • ❌ spring-web-5.0.8.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.1.6.RELEASE.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 09d1964e6e2eefd0670c49f5844861d1b1f38a9b

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

• geoip2-2.12.0.jar (Root Library)
  • ❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerable Library - tomcat-embed-core-8.5.32.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-2.0.4.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.32.jar (Vulnerable Library)

Found in HEAD commit: e3398a9573ec42f089b2b2360f53767809fbb7c0

Vulnerability Details

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-06-21

URL: CVE-2019-10072

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41

Release Date: 2019-06-21

Fix Resolution: 8.5.41,9.0.20

Vulnerable Library - tomcat-embed-core-8.5.32.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /betterstat-server/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.0.4.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-2.0.4.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.32.jar (Vulnerable Library)

Found in HEAD commit: 6c026eb8b67245c860f7cfd3312980b3081c3cbe

Vulnerability Details

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-06-21

URL: CVE-2019-10072

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41

Release Date: 2019-06-21

Fix Resolution: 8.5.41,9.0.20