mchernolevskyi / phototrivia Goto Github PK

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

Release Date: 2019-08-12

Fix Resolution: 2.9.9.1

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - spring-core-5.0.4.RELEASE.jar

Spring Core

path: /root/.m2/repository/org/springframework/spring-core/5.0.4.RELEASE/spring-core-5.0.4.RELEASE.jar

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-security-web-5.1.2.RELEASE.jar (Root Library)
  • ❌ spring-core-5.0.4.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-1272

Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.5 4.3.x users should upgrade to 4.3.15 There are no other mitigation steps necessary.

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library)
  • spring-boot-starter-2.2.2.RELEASE.jar
    • ❌ snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: org.yaml:snakeyaml:1.26

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Vulnerable Libraries - spring-webmvc-5.2.2.RELEASE.jar, spring-web-5.2.2.RELEASE.jar

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Publish Date: 2020-01-17

URL: CVE-2020-5397

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2020-5397

Release Date: 2020-01-17

Fix Resolution: 5.2.3

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - metadata-extractor-2.11.0.jar

Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.

Library home page: https://drewnoakes.com/code/exif/

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: canner/.m2/repository/com/drewnoakes/metadata-extractor/2.11.0/metadata-extractor-2.11.0.jar

Dependency Hierarchy:

• ❌ metadata-extractor-2.11.0.jar (Vulnerable Library)

Found in HEAD commit: 6f50689e78ea56febda97fec0c51b9090deacb0a

Vulnerability Details

MetadataExtractor 2.1.0 allows stack consumption.

Publish Date: 2019-07-25

URL: CVE-2019-14262

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: drewnoakes/metadata-extractor-dotnet#190

Release Date: 2019-07-25

Fix Resolution: 2.2.0

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - spring-webmvc-5.0.4.RELEASE.jar

Spring Web MVC

path: /root/.m2/repository/org/springframework/spring-webmvc/5.0.4.RELEASE/spring-webmvc-5.0.4.RELEASE.jar

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-5.0.4.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Publish Date: 2018-04-06

URL: CVE-2018-1271

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271

Release Date: 2018-04-06

Fix Resolution: 5.0.5.RELEASE

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2341

Release Date: 2019-06-19

Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0

Vulnerable Library - jetty-server-9.4.8.v20171121.jar

The core jetty server artifact.

path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar

Library home page: http://www.eclipse.org/jetty

Dependency Hierarchy:

• spring-boot-starter-jetty-2.1.1.RELEASE.jar (Root Library)
  • jetty-webapp-9.4.8.v20171121.jar
    • jetty-servlet-9.4.8.v20171121.jar
      • jetty-security-9.4.8.v20171121.jar
        • ❌ jetty-server-9.4.8.v20171121.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Publish Date: 2018-06-22

URL: CVE-2018-12538

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - jetty-server-9.4.8.v20171121.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar

Dependency Hierarchy:

• spring-boot-starter-jetty-2.1.1.RELEASE.jar (Root Library)
  • jetty-webapp-9.4.8.v20171121.jar
    • jetty-servlet-9.4.8.v20171121.jar
      • jetty-security-9.4.8.v20171121.jar
        • ❌ jetty-server-9.4.8.v20171121.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Publish Date: 2019-04-22

URL: CVE-2019-10241

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241

Release Date: 2019-04-22

Fix Resolution: 9.2.27.v20190403,9.3.26.v20190403,9.4.16.v20190411

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Publish Date: 2018-06-25

URL: CVE-2018-11040

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11040

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Vulnerable Library - spring-web-5.2.2.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.2.RELEASE/spring-web-5.2.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library)
  • ❌ spring-web-5.2.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: 2020-09-19

URL: CVE-2020-5421

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: 2020-07-21

Fix Resolution: org.springframework:spring-web:5.2.9,org.springframework:spring-web:5.1.18,org.springframework:spring-web:5.0.19,org.springframework:spring-web:4.3.29

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution: 2.8.11.1,2.9.5

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1671098

Fix Resolution: Upgrade to version jackson-databind-2.9.8-1.fc29 or greater

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@7487cf7

Release Date: 2018-06-01

Fix Resolution: Replace or update the following file: SubTypeValidator.java

Vulnerable Library - spring-web-5.0.4.RELEASE.jar

Spring Web

path: /root/.m2/repository/org/springframework/spring-web/5.0.4.RELEASE/spring-web-5.0.4.RELEASE.jar

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • ❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Vulnerable Library - spring-security-core-5.1.2.RELEASE.jar

spring-security-core

Library home page: http://spring.io/spring-security

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: canner/.m2/repository/org/springframework/security/spring-security-core/5.1.2.RELEASE/spring-security-core-5.1.2.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-security-core-5.1.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Publish Date: 2019-04-09

URL: CVE-2019-3795

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2019-3795

Release Date: 2019-04-08

Fix Resolution: 4.2.12,5.0.12,5.1.5

Vulnerable Library - jackson-databind-2.10.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.1/jackson-databind-2.10.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.2.2.RELEASE.jar
    • ❌ jackson-databind-2.10.1.jar (Vulnerable Library)

Found in HEAD commit: b7ab014ac40dbb8defcff1cbccee66cdedb51c9d

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2589

Release Date: 2020-12-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1

Vulnerable Library - spring-web-5.0.4.RELEASE.jar

Spring Web

path: /root/.m2/repository/org/springframework/spring-web/5.0.4.RELEASE/spring-web-5.0.4.RELEASE.jar

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • ❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Publish Date: 2018-06-25

URL: CVE-2018-11039

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11039

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Vulnerable Library - jackson-datatype-jsr310-2.9.4.jar

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

path: /root/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.9.4/jackson-datatype-jsr310-2.9.4.jar

Library home page: https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-datatype-jsr310-2.9.4.jar (Vulnerable Library)

Vulnerability Details

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Publish Date: 2018-12-20

URL: CVE-2018-1000873

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873

Release Date: 2018-12-20

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jetty-server-9.4.24.v20191120.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.24.v20191120/jetty-server-9.4.24.v20191120.jar

Dependency Hierarchy:

• spring-boot-starter-jetty-2.2.2.RELEASE.jar (Root Library)
  • jetty-webapp-9.4.24.v20191120.jar
    • jetty-servlet-9.4.24.v20191120.jar
      • jetty-security-9.4.24.v20191120.jar
        • ❌ jetty-server-9.4.24.v20191120.jar (Vulnerable Library)

Found in HEAD commit: b7ab014ac40dbb8defcff1cbccee66cdedb51c9d

Vulnerability Details

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Publish Date: 2020-11-28

URL: CVE-2020-27218

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-86wm-rrjm-8wh8

Release Date: 2020-11-28

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3

Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - spring-security-core-5.1.2.RELEASE.jar

spring-security-core

Library home page: http://spring.io/spring-security

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: canner/.m2/repository/org/springframework/security/spring-security-core/5.1.2.RELEASE/spring-security-core-5.1.2.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-security-core-5.1.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Publish Date: 2020-05-14

URL: CVE-2020-5408

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408

Release Date: 2020-05-14

Fix Resolution: org.springframework.security:spring-security-crypto:4.2.16,5.0.16,5.1.10,5.2.4,5.3.2,org.springframework.security:spring-security-core:4.2.16,5.0.16,5.1.10,5.2.4,5.3.2

Vulnerable Library - spring-web-5.2.2.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.2.RELEASE/spring-web-5.2.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library)
  • ❌ spring-web-5.2.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Publish Date: 2020-01-17

URL: CVE-2020-5398

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2020-5398

Release Date: 2020-01-17

Fix Resolution: org.springframework:spring-web:5.0.16.RELEASE,org.springframework:spring-web:5.1.13.RELEASE,org.springframework:spring-web:5.2.3.RELEASE

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerability Details

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Publish Date: 2018-06-27

URL: CVE-2018-12536

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - spring-web-5.2.2.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.2.RELEASE/spring-web-5.2.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.2.2.RELEASE.jar (Root Library)
  • ❌ spring-web-5.2.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: spring-projects/spring-framework@76964e1

Release Date: 2016-05-03

Fix Resolution: Replace or update the following files: HttpInvokerProxyFactoryBean.java, HttpInvokerServiceExporter.java

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jetty-server-9.4.8.v20171121.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /photoTrivia/pom.xml

Path to vulnerable library: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar

Dependency Hierarchy:

• spring-boot-starter-jetty-2.1.1.RELEASE.jar (Root Library)
  • jetty-webapp-9.4.8.v20171121.jar
    • jetty-servlet-9.4.8.v20171121.jar
      • jetty-security-9.4.8.v20171121.jar
        • ❌ jetty-server-9.4.8.v20171121.jar (Vulnerable Library)

Found in HEAD commit: 8c6b52f5fb962a6e6707ab8f1a397860ab036422

Vulnerability Details

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Publish Date: 2019-04-22

URL: CVE-2019-10247

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577

Release Date: 2019-04-22

Fix Resolution: 9.2.28.v20190418

Vulnerable Library - jackson-databind-2.9.4.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.0.0.BUILD-SNAPSHOT.jar
    • ❌ jackson-databind-2.9.4.jar (Vulnerable Library)

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@27b4def

Release Date: 2018-05-11

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - jetty-webapp-9.4.24.v20191120.jar

Jetty web application support

Library home page: http://www.eclipse.org/jetty

Path to dependency file: photoTrivia/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.24.v20191120/jetty-webapp-9.4.24.v20191120.jar

Dependency Hierarchy:

• spring-boot-starter-jetty-2.2.2.RELEASE.jar (Root Library)
  • ❌ jetty-webapp-9.4.24.v20191120.jar (Vulnerable Library)

Found in HEAD commit: 2372141ef4d8e88431e0efd4c1a0dfb47d0e57c7

Vulnerability Details

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Publish Date: 2020-10-23

URL: CVE-2020-27216

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921

Release Date: 2020-10-20

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.33,10.0.0.beta3,11.0.0.beta3;org.eclipse.jetty:jetty-webapp:9.4.33,10.0.0.beta3,11.0.0.beta3