Vulnerable Library - jackson-databind-2.9.7.jar

General data-binding functionality for Jackson: works on core streaming API

path: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.7/jackson-databind-2.9.7.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• ❌ jackson-databind-2.9.7.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - h2-1.4.197.jar

H2 Database Engine

path: 2/repository/com/h2database/h2/1.4.197/h2-1.4.197.jar

Library home page: http://www.h2database.com

Dependency Hierarchy:

• ❌ h2-1.4.197.jar (Vulnerable Library)

Vulnerability Details

H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code.

Publish Date: 2018-04-11

URL: CVE-2018-10054

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

path: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Library home page: http://commons.apache.org/proper/commons-codec/

Dependency Hierarchy:

• poi-4.0.1.jar (Root Library)
  • ❌ commons-codec-1.11.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - jackson-datatype-jsr310-2.9.7.jar

Add-on module to support JSR-310 (Java 8 Date & Time API) data types.

path: /root/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.9.7/jackson-datatype-jsr310-2.9.7.jar

Library home page: https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310

Dependency Hierarchy:

• spring-boot-starter-web-2.1.1.RELEASE.jar (Root Library)
  • spring-boot-starter-json-2.1.1.RELEASE.jar
    • ❌ jackson-datatype-jsr310-2.9.7.jar (Vulnerable Library)

Vulnerability Details

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Publish Date: 2018-12-20

URL: CVE-2018-1000873

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873

Release Date: 2018-12-20

Fix Resolution: 2.9.8